kashiCTF 2026 - Burnt Ashes
An investigator recovered a Linux disk image from a manuscript ward workstation in Varanasi. The drive appears normal, but operators suspect hidden transfer records were concealed using layered steganography and encryption workflows.
Initial Exploration
The provided disk image (kashi_ritual_ledger.img) is an
ext4 filesystem.
1 | ❯ file kashi_ritual_ledger.img |
Exploring the filesystem reveals several key files: -
challenge_runtime.json: Metadata containing passphrases and
AES parameters. - /home/pandit_ved/: User home directory
with Pictures/ward_scans, Notes, and a hidden
.archive_payloads folder. -
/deleted_mail_pool/: Contains .eml files
discussing “passphrase doctrine.”
Metadata Analysis
Reading challenge_runtime.json provided the following
stages: - Stage 1 Steg Passphrase:
trishul-lantern-braid - Stage 2 Steg
Phrase: ghat-manjari-copper-owl
Notes in home/pandit_ved/Notes/ritual_index_notes.md
hinted that the “hidden ledger capsule is in one scan that does not open
with the standard (Stage 1) phrase.”
Steganography Extraction
There were four BMP scans in the ward_scans directory.
Using steghide with the Stage 1 passphrase:
1 | for f in /mnt/kashi_ledger/home/pandit_ved/Pictures/ward_scans/*.bmp; do |
While most contained decoy files,
scan_midnight_index.bmp failed, indicating it required the
Stage 2 passphrase:
1 | steghide extract -sf scan_midnight_index.bmp -p "ghat-manjari-copper-owl" |
Locating the Flag
The extracted stage2_ledger.enc matched a file in the
hidden .archive_payloads directory. A corresponding
.txt file was also present:
1 | cat /mnt/kashi_ledger/home/pandit_ved/.archive_payloads/stage2_ledger.txt |