← All writeups

Writeup for GDGoC BPDC OSINT Challenge 2025

#OSINT#GDGoC#BPDC

This was a special challenge that required a deep dive into OSINT techniques. It tested not only my technical skills but also my ability to think critically and creatively.

Step 1 — geosint

It started with geosint.

Target photo

Looking at the text in the image, it’s Japanese, and it’s next to a Repark (coin parking) site.

Zooming in on the no-smoking sign reveals small, but readable, text at the bottom: “Shinagawa City.”

After some digging through Street View, you can find the location: “Repark Osaki 2-Chome #2.”

Street View

Dropping the camera position into what3words:

what3words

…returns averts.safe.cake.

Submitting that at https://gdg-osint.vercel.app/ lands us on a blog:

Blog

Step 2 — Source Code Hint

Nothing on the page was clickable. Viewing the HTML source revealed:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <!-- TODO add twitter link manofthoug44999 -->
    <title>My Random Blog Archive</title>

Step 3 — Twitter Clues

Checking that Twitter account, there were three posts:

Twitter

  • The first image is easy to find but isn’t the solution.

  • The second post says:

    “Every beat has a story. Look into the rhythms I’ve shaped and find the whisper of my truth.”

  • The third post contains the string: 31t4cpkzsaotactlc2texgaqjil4.

Thinking it through, the second post hints at music, and the third string turned out to be a Spotify account ID/username. That was the key.

Spotify

Step 4 — Spotify Playlist

Looking through the account, there was a playlist. I tried a bunch of approaches encoding track durations to hex, taking characters from track titles, etc. but nothing worked.

Then I checked Spotify’s web responses for the playlist/account. After some digging, the playlist description contained hidden Unicode escapes:

Unicode

Decoding them revealed the username manofthought163.

Step 5 — Pivot to Other Platforms

Searching that username on other platforms led to Pinterest:

Pinterest

It had a fake flag. I downloaded the image the top and bottom artifacts caught my eye. I suspected stego and tried a few things but found nothing.

About to give up, I checked other social platforms and found the same user on Instagram:

Instagram

Checking the Highlights revealed the actual flag:

Flag highlight

Flag

GDG{you_found_me}

(Pretty guessable, lol.)