Hi, I’m Gr3yG05T from team 4GUN7UK. Yea, 4GUN7UK, you are going to hear this name more often as I’m going to cover more CTF stories from now on (it spells ‘Aguntuk’, by the way). There will be some storytelling going on, as I write in a way that resembles my thought process when solving the challenges. Those of you who came just for the solution should head over to the end, where I summarized the findings. So, let’s begin!

So, MIST Cyber Drill 2025 was a national-level CTF in Bangladesh organized by the Military Institute of Science and Technology (MIST) and the Bangladesh Telecommunications Regulatory Commission (BTRC). This was the first round of the event, and the finale will take place onsite at MIST campus. Yeah, we qualified, securing the 23rd spot.

There was a total of 6 OSINT challenges in the preliminary round, where I solved 5 of them. One thing to mention here is that for the first 4 challenges, the description will be the same. Yeah, I know it sounds a bit weird, but according to the organizer, I need to find both the QUESTION and the flag of the challenges, they were like “If you are really good at OSINT go find your flag without any instructions & questions” xD. Organized by a government body, so not that much unexpected! Let’s start the solving :)

Upon clicking the link provided in the description, it takes us to an email body

It was a blackmail letter, highlighting their bitcoin address, email address, a public key, and a pastebin link. The pastebin link will be our main point of focus. I visited the pastebin and found the breach sample. There was a total of 3 pastes in the account, where one of them being password protected. But there was another thing that caught my eye.

The threat actor has posted an X (Twitter) profile in the comment. I visited the link, which took me to a profile named Rayan Walton

I quickly explored the profile to find anything related to our challenges. I came across another pastebin link in the profile, with a comment seems to be some sort of password.

Looks like we are on the right track!

I visited the link, it was a password-protected pastebin, I inserted the passphrase we found from the X post, and… It didn't work! I tried multiple times, the outcome was the same. I shifted my focus to something else.

There was a picture posted on the profile, picture of a landmark.

I doubted it at the first glance as landmarks posted in any social media OSINT normally lead to a reverse image search to find their name or some Google Maps review containing the flag. This one didn’t seem any different ..

The name of the hotel was clearly visible in the picture. I Googled the name and went to the Google Maps page of that place. As expected, Found the flag in the reviews.

OSINT 002: WTISD{osint:geo-location}

The review was posted from an account named Cyber Magneto.. umm.. Cyber magneto.. the name sounds familiar. I saw the same name on some of the reposts on the Twitter account that we found earlier. Rayan Walton reposted many posts from a Twitter handle named TheCyberMagneto, The profile picture is the same too! I thought it was randomly reposted at the first time, but now that I know it is connected to our challenge, I started to dig deeper

Upon exploring, I found a similar post featuring a pastebin link and a pass phrase next to it, just like in the previous profile.

I visited the link here again and BOOM! It worked this time. I got access to the pastebin and found the flag

OSINT 001: WTISD{osint:paste-site-monitoring}

It was the same pastebin of the attacker’s account that we found locked at the beginning.

This was the end of my winning streak. I went over the profile many times, checked every post one by one, but didn't find any logical link. I was thinking about some other way around. Username enumeration didn't bring anything new to the table, then I started to simply Googling.

I started with a simple intext:”TheCyberMagneto” query and found a Reddit post in my search results. It was him, TheCyberMagneto.

This account didn’t come out through the username enumeration but found the profile through dorks. Found a github profile along with his X(Twitter) linked to the reddit account. The X account was the same as before but the github profile is something that was new. I imediately rushed to the github and found 3 repositories.

• Threat-Report-0001–2025-Public
• CyberABCLab_Breach_by_PhantomCiphers
• Web-Defacement

I started checking them one by one. Adrenaline rush was going crazy, I was going through everything, and then I found two gems. First one in the Threat-Report-0001–2025-Public repo. If you visit the repo and go to the file named Initial Access Vector Identified in PhantomCiphers Ransomware Campaign Targeting CyberABCLab, You will found our 3rd flag.

OSINT 003: WTISD{osint:social-media-analysis}

Also our 4th flag was in the next repository named CyberABCLab_Breach_by_PhantomCiphers, within it’s Internal Project Document Snippet directory.

OSINT 002: WTISD{osint:branch-analysis}

Now, the cherry on top— the last challenge

Umm, a name? a real name? a real person’s name? We came across many names in our investigation, but most of them are codenames like PhantomCipher, TheCyberMagneto, JonathanMeyer etc, Only one name felt like a real name to me, RAYAN WALTON, yeah, the first Twitter account that we found. I thought of Jonathan Meyer before it, but honestly, the profile picture was a fake hacker image that didn’t give me a legit vibe. On the other hand, I misused all three attempts of the first challenge and was not ready to lose more. So I submitted Rayan Walton in the flag format wrapping, and.. it was CORRECT! This last challenge had the most amounts of points, with surprisingly the lowest difficulty.

OSINT 06: WTISD{osint:rayan-walton}

Summary

I started with a ransom mail which led me to a pastebin. From the pastebin comment, I found a Twitter account (RayanWalton) that had a picture of a hotel posted. In the Google Maps review of that hotel, I found my first flag [2], the account that posted the review had a Twitter account (TheCyberMagneto) where I found another pastebin link posted alongside a password. This pastebin gave us our next flag [1]. Found a GitHub account from a Reddit account associated with the TheCyberMagneto username. In that GitHub account, I found our next 2 flags [3] & [4]. The last flag was the name of our first found Twitter account [6]

This is the end. I hope you liked my write-up! Be sure to check my other papers out. I just started my writing journey, a follow would be much appreciated. You can always reach me through @Gr3yG05T anytime.

Until the next hack, Goodbye :3