Table of Contents
- Introduction
- Cracking the PDF Password
- Reading the PDF — Finding the Full Name
- Username Enumeration — Starting with
vitrinefox - Investigating the X (Twitter) Account
- Investigating LinkedIn (via Linktree)
- PCPARTPICKER — Dropbox Link Discovery
- PDF Metadata — Finding the Real Name
- Checking the Archives
- Back to Sherlock — OpenStreetMap
- Creating an Account — Trying Logged-In Search
- Finding the Travel Location on X
- The “Builder” Challenge — PCPARTPICKER Flag
- The Final Extra Flag — OSM Tags
Introduction
This is a writeup for the OSINT challenge from CTF@CIT 2026, where our team Mont5ab El2hwa managed to take 1st place 🏆out of 1100+ teams!
The challenge was built around a password-protected PDF. Along the way we picked up flags from challenges we hadn’t even opened yet — which made for an interesting solve path.
This writeup was a team effort. Without them, half of this wouldn’t have happened — or at least would’ve taken twice as long. Big credit to:
Cracking the PDF Password
The first thing we had was this PDF — we needed to crack the password.
pdf2john VF0000000011-Enc.pdf > pdf.hashhashcat -m 10700 pdf.hash /usr/share/wordlists/rockyou.txt -OPassword:
cherell
Reading the PDF — Finding the Full Name
After opening the PDF, we started reading and looking for anything that leads us to what’s required. First: the full name.
Page 1 
؛Page 2
This was the most important point:
Online Handles Observed• vitrinefox• vitrine_fox9• foxinglass• salledenonghostUsername Enumeration — Starting with vitrinefox
Let’s filter the Sherlock results. The first valid result from Sherlock is:
That’s a good finding.
From Linktree, we now have:
Investigating the X (Twitter) Account
This is all that’s on the account:
First thing — the bio:
Nothing important.
Second thing — the profile image:
.jpg){kind=link}
This confirms we’re on the right track — this is the house of da Vinci in Vinci.
Nothing else important on this account. The profile picture was clearly AI-generated.
Investigating LinkedIn (via Linktree)
Nothing interesting — just a confirmation that this is the correct username.
PCPARTPICKER — Dropbox Link Discovery
Third link from Linktree: https://pcpartpicker.com/user/vitrinefox/
A link to Dropbox was found:
Potential flag found:
But wait — we need his name; the flag isn’t this one, and it also returns incorrect when submitted.
We felt something was wrong after a bit of thinking and searching everywhere. We asked the admin — he confirmed this flag belongs to another part of the challenge.
PDF Metadata — Finding the Real Name
We found in the file’s metadata:
Uploaded by Remy BeauvillierThat’s what we’re looking for — the name.
The Curator’s Exit - Part 2
Checking the Archives
The hint we had was “Check the archives.” We tried checking X with:
Nothing found.
Back to Sherlock — OpenStreetMap
Going back to the Sherlock results — we had reached Linktree but there was still more:
That’s the second valid result.
What’s in the edits?
A potential flag was found. Is this what’s meant?
No — it turned out to be incorrect. We asked the admin whether this was part of our challenges or if a player created this account as a distraction. He confirmed it belongs to the OSINT challenge legitimately.
Creating an Account — Trying Logged-In Search
After a few more attempts, I decided to create an account — maybe it shows different results when logged in. Nothing found either.
I noticed the way we were pulling accounts by @username, so I thought I’d try it directly — maybe he has an account that wasn’t appearing in normal search results.
Finally, the flag:
The Curator’s Exit - Part 3
We confirmed there is an OpenStreetMap account — so this must be the flag, since it’s the only flag related to a location from the extra flags.
Since the required format is CIT{City_Country} — is this a hint to determine the location from the map, or is there a platform issue?
We asked the admin — he said no, that’s not the flag! We tried identifying the location on the map — it turned out to be the university hosting the CTF.
Finding the Travel Location on X
We went back to check if there’s anything related to travel. Yes — on X, he was planning a Vacation.
The flag is that location — and we actually knew it from the beginning (the da Vinci house image). We just needed to confirm the City and Country with a simple search.
CIT{Tuscany_Italy}The Curator’s Exit - Final
The “Builder” Challenge — PCPARTPICKER Flag
“Our friend is something of a
builder, can you find the final flag?”
The flag is definitely from PCPARTPICKER Third link from Linktree:
CIT{N0t_ev3ryth1ng_i$_s3cur3}The chain is done — but we still have one extra flag from OpenStreetMap that we confirmed doesn’t belong to our current challenges.
The Final Extra Flag — OSM Tags
We only had two challenges left:
- One with a food image requiring identification of the dish name — definitely not it.
- The other challenge ‘Cartographer’s Secret’:
We had nothing to lose by trying:
CIT{ch3ck_th3_OSM_t4gs}CORRECT!!!!!!
Some information may be outdated