Specter I — OSINT
LiveFourteen levels. Passive intelligence at professional grade. Built for operatives who will be asked to investigate real targets, not pass a quiz.
Briefing
Most OSINT training stops at typing queries into search engines — ten percent of the job. The other ninety — source independence, calibrated confidence, OPSEC against a target who counter-investigates, defensible documentation — is where professionals live and where almost no public course goes.
Specter I goes there. By the capstone, your findings hold under legal scrutiny, your tradecraft survives adversarial counter-intelligence, and your report meets Berkeley Protocol standards.
What makes this different
- Operational discipline graded throughout. EXIF leaks, persona-real-account cross-pollination, query timing patterns — all detected and scored. No other training treats analyst OPSEC as a graded outcome.
- Adversarial targets. From level twelve onward you face counter-intelligence: canary tokens, dangle accounts, watermarked documents, fake leaks. Detect the trap or trip the alarm.
- Calibrated confidence required. Every claim from level four onward carries a word-of-estimative- probability rating (Admiralty A1–F6). Overconfident wrong answers cost more than honest uncertainty.
- Berkeley Protocol report at graduation. The capstone requires a written intelligence package with chain of custody, source documentation, and alternative-hypothesis consideration. Defensible methodology, not just a flag.
- Quarterly errata, public dashboard. OSINT tools rot fast. Twitter API, CrowdTangle, half of 2018's stack — all dead. Our errata page is public; we re-shoot levels when the underlying primitive shifts. No 2018 advice in 2026 wrapping.
Toolkit
Every Specter I ephemeral ships with the core OSINT/recon toolkit pre-installed. No package install required, no internet to PyPI from inside — everything you need to solve the level is on disk when you connect.
- HTTP & download:
- curl, wget
- DNS & whois:
- dig, nslookup, whois
- JSON & YAML:
- jq, python3 -m json.tool, python3-yaml
- Text & viewing:
- cat, less, head, tail, grep, awk, sed, sort, uniq
- Files & search:
- find, file, xargs
- Net diagnostics:
- nc (netcat), ip, ss
- Code & scripting:
- git, python3, python3-requests
- Editors:
- vim, nano
Level-specific additions: L6 ships exiftool + imagemagick for image forensics; L7 adds python3-pil for synthetic-media analysis; L10 adds binwalk, gnupg2, openssl, and routes via per-spawn Tor side-cars. Each level's brief lists what is additionally available.
Verifier: every level ships a local /opt/verify-<slug>.sh (e.g. /opt/verify-paper-trail.sh, /opt/verify-image-geo.sh) that consumes the evidence files described in the brief and prints either findings or the level flag. Per-player flags — sharing them won't unlock anyone else's chain.
SSH access
SSH Access
| Host | 204.168.229.209 |
| Levels L0–L13 | ports 2230–2243 (one per level) |
| L0 entry user | specter0 |
| L0 password | bootstrap token (below) |
From L1 onward: solve the level, take the flag the verifier prints, and submit it in the console above. The response gives you the next level's SSH password. Flags and passwords are per-player.
Each SSH connection spawns a fresh ephemeral container; disconnect tears it down.
Levels
| # | Level | Points | Operatives | First Blood | Status |
|---|---|---|---|---|---|
| Act I — Foundations | |||||
| 0 | Paper Trail | 400 | 17 | — | |
| 1 | Search Engine Operator | 500 | 10 | — | |
| 2 | Code & Secret Hunting | 600 | 7 | — | |
| 3 | JS Recon & API Discovery | 700 | 7 | — | |
| Act II — People & Tradecraft | |||||
| 4 | People Recon — Source Independence | 800 | 7 | — | |
| 5 | Sock Puppet Operational Tradecraft | 900 | 6 | — | |
| Act III — Image & Synthetic Media | |||||
| 6 | Image Geolocation & EXIF Discipline | 1000 | 5 | — | |
| 7 | Reverse Image & Synthetic Media Detection | 1200 | 5 | — | |
| Act IV — Deep Investigation & Capstone | |||||
| 8 | Travel Pattern Reconstruction | 1300 | 4 | — | |
| 9 | Corporate Intel & Supply Chain | 1400 | 2 | — | |
| 10 | Dark Web Intel | 1500 | — | — | |
| 11 | Telegram & Encrypted-Channel Intel | 1600 | — | — | |
| 12 | Adversarial OSINT | 1800 | — | — | |
| 13 | Full Engagement — Berkeley Protocol Report | 2500 | — | — | |