Welcome. SecretCorp is a deliberately leaky, made-up company created by Omar Santos to help you learn Open Source Intelligence (OSINT) and passive reconnaissance the way real analysts and ethical hackers do it - one breadcrumb at a time.
Your job: enumerate the subdomains, decode the clues, follow the trail, and discover what SecretCorp doesn't want public. Nothing here is real - but every technique you will use is.
The first clue is right here, in plain sight. Real OSINT often starts with something obvious that most people walk past.
Are you familiar with Base64? Use your favorite tool (or the one below) to decode the value and follow it.
aHR0cHM6Ly9zZWNyZXRjb3JwLm9yZy9oaW50cw==
Tip: in a terminal you can run echo "...string..." | base64 -d.
SecretCorp has several subdomains. Find them all using only public sources - no scanning, no brute force.
crt.sh, censys.io) to surface issued certs.dig, dnsx, amass).site:secretcorp.org in your favorite engine.When you find the lab guide, you will get a checklist of what to look for next.
Every card below maps to a real-world skill used by ethical hackers, threat intel analysts, and defenders.
Use Certificate Transparency, DNS, and search engines to map an organization's public footprint.
Find published email addresses, naming conventions, and points of contact for targeted phishing tests.
Craft search operators that surface configs, indexes, exposed docs, and information leaks.
Inspect images, PDFs, and Office docs for authors, GPS coordinates, software, and editing history.
Query continuously-scanned datasets to find exposed services, banners, and weak configurations.
Build org charts from public profiles, conference talks, and code commits without engaging the target.
Real OSINT analysts live in the terminal. These short snippets are everything you need to begin.
Every TLS certificate ever issued for a domain is publicly logged. crt.sh is a free, queryable mirror.
curl -s 'https://crt.sh/?q=%25.secretcorp.org&output=json' \ | jq -r '.[].name_value' \ | tr ',' '\n' | sort -u
Take a list of names and see which are alive (without aggressive scanning).
cat subdomains.txt | dnsx -silent -a -resp-only cat subdomains.txt | httpx -silent -title -status-code
Look for exposed documents, login portals, and forgotten subdirectories.
site:secretcorp.org filetype:pdf site:secretcorp.org inurl:admin site:secretcorp.org intitle:"index of" "@secretcorp.org" -site:secretcorp.org
A single PDF or image can leak the author, software version, and even GPS coordinates.
exiftool report.pdf exiftool -a -G1 -s photo.jpg
Find banners and open ports without ever sending a packet to the target yourself.
shodan search 'hostname:secretcorp.org' shodan search 'ssl:"secretcorp"' shodan host <ip>
You will see encoded strings everywhere - in HTML comments, tweets, paste sites, even URLs.
echo "aHR0cHM6Ly9zZWNyZXRjb3JwLm9yZy9oaW50cw==" | base64 -d # → https://secretcorp.org/hints
If you enjoy this challenge, here are the resources I maintain and update most often.
My curated hub of live trainings, books, video courses, and labs covering AI security, ethical hacking, DFIR, and more.
ai-cyber-training.comThousands of resources on ethical hacking, bug bounty hunting, AI security, exploit dev, reverse engineering, and DFIR.
hackerrepo.orgA hands-on learning environment with intentionally vulnerable apps, Kali/Parrot tooling, and 500+ exercises.
websploit.orgCloud-based labs - nothing to install. Practice OSINT, web attacks, and incident response in a real browser.
hackingscenarios.comMy personal blog with deep-dives on offensive security, tooling, and applied AI for cyber defenders.
becomingahacker.orgA tool I built to extract useful information from Certificate Transparency records - perfect for subdomain enumeration.
Read the introOSINT works on publicly available information. The techniques on this site must always be used ethically and within the law. Practice on SecretCorp, on bug bounty scopes, on your own assets - never on targets you don't have permission to test.