Home > Writeups > DEADROP Misc 1 - BURNED ASSET PROFILE

DEADROP Misc 1 - BURNED ASSET PROFILE

A burned agency asset left a digital footprint. Follow the alias trail from a classified profile document to a LinkedIn lookalike, to a fake GitHub profile, to a commit where he accidentally pushed something he shouldn't have.

Date: March 01, 2026 Category: Misc Difficulty: Easy Views: 9
Tags:
osint github linkedin social-media reconnaissance DEADROP

BURNED ASSET PROFILE

Challenge Description

SUBJECT: VANE, Marcus Elliot. STATUS: BURNED. ALL CONTACT SUSPENDED. **https://deadrop.two-shoes.org/osint/...

We're given a single text file: a classified personnel dossier on a burned agency asset. No server, no binary, no crypto. Just a document and the instruction to find whatever he left online.

Reading the Profile

The dossier is thorough by design. Most of it is lore. The actionable section is under DIGITAL FOOTPRINT:

Subject maintains a deliberately minimal digital presence.
However, the alias "m_vane_81" has been observed across professional
networking platforms consistent with his cover occupation.

SIGINT assessment notes that subject may have established a code
repository under this alias. Analysts believe it contains operational
material posted in error prior to his burn notice. Repository has
NOT been sanitised, subject was unreachable after 1983-09-12.

Recommend full sweep of subject's known digital aliases across:
  - Professional networking platforms (cover: meteorology consultant)
  - Code hosting platforms (known interest: signal processing scripts)

Two platforms. One alias: m_vane_81.

Hop 1: LinkedIn

Professional networking platform, cover occupation meteorology. Try the obvious URL pattern (it is important to note that most URLs will use - in place of _ for readability):

https://deadrop.two-shoes.org/osint/linkedin/m-vane-81

The profile is a convincing fake LinkedIn page for Marcus Vane, meteorological research consultant, University of Washington graduate, Seattle-based. His bio mentions:

"I maintain a small collection of signal processing utilities and analysis scripts. You can find some of them at mvane81 on the usual code hosting platforms."

And the sidebar lists: Websites → Personal Scripts · mvane81 → Code hosting platform

Username for the code platform: mvane81 (note: no underscores).

Hop 2: GitHub Profile

https://deadrop.two-shoes.org/osint/github/mvane81

Styled fake GitHub profile. One pinned repo: wx-signal-tools. Description:

"Frequency analysis and anomaly detection utilities for meteorological array data. Bash + Python. Work in progress, some scripts are unfinished."

README says: "Pushed in a hurry before a job handoff so some commits are messy. Check the commit history if something looks wrong."

That's the hint.

Hop 3: Commit History

https://deadrop.two-shoes.org/osint/github/mvane81/wx-signal-tools/commits

Six commits listed across four days in September 2023. Most are innocuous: initial commit, add frequency analysis module, cleanup before handoff. But one stands out:

[c1d3a88] WIP array_cal, do not push, NOTE TO SELF: CREDS
            accidentally committed with credentials, see full message

Click to expand the full commit message:

commit c1d3a88f2b09e44c17d91f0a36c25b8e4d7f1039
Author: Marcus Vane <m.vane@wx-consult.net>
Date: Sun Sep 10 23:47:12 2023 -0700

    WIP array_cal, do not push

    NOTE TO SELF: pushed by accident before the handoff.
    contains the auth token I used for the NW array session.
    need to rotate before anyone sees this.

    token: DEADROP{osint_ghost_hunt_complete}

    - M

The flag is framed as an accidentally committed auth token that Marcus never got around to rotating because his burn notice came through days later.

Key Takeaways

1. Aliases leak across platforms. m_vane_81 in the dossier maps directly to LinkedIn and mvane81 on GitHub, a small transformation that's trivially guessable once you have the base alias. Real OSINT pivots work exactly this way: usernames are often reused or varied predictably across services.

2. Commit history is permanent. Even after a repository is "cleaned up," deleted commits can persist in forks, caches, and indexing services. In the real world, secrets accidentally committed to a public repository should be treated as permanently compromised, rotating the credential is necessary but not sufficient.

3. README hints are breadcrumbs. "Check the commit history if something looks wrong" is the nudge players need to stop reading files and start looking at git history. Real OSINT subjects often leave unintentional breadcrumbs in profile text, bio fields, and repository descriptions.

Flag

DEADROP{osint_ghost_hunt_complete}

< Back to All Writeups

ma1ice@ctf:~/writeups$ cat deadrop-misc-1-burned-asset-profile.md | wc -l

Published 2026-03-01 • Misc