Shakti CTF is a female-only CTF developed by a group of women in India (Team Shakti). It is beginner friendly, with the main goal of helping young women become interested in the cybersecurity field and expanding the CTF community in India.
Their official team website is well-designed, and you can read more about them there. (Link) A few of their members recently spoke at BSidesDelhi.
The announcements for the CTF featured various notable women through-out history:
Let’s get started, shall we?
The first code starts off as binary, then Base64, and then finally, hex for the flag:
This one drops some pretty obvious hints that it is encoded with a Caesar Cipher. It turned out to be the popular Rot13:
Again, the title offers a strong hint. This was a Rail Fence cipher.
With the Key and Offset included, I was able to find this at 6 Rails. I just added on the exclamation point and bracket to the end:
The webpage pulls up a bunch of repeating biographical text about Ada Lovelace:
If you look through the source code, you will see this comment:
So I tried the following and was able to display the flag:
From here you are brought to another Ada themed webpage, this one with a login panel:
However, this is a distraction. If you look at the source code, there is a script in there that includes some decimal numbers:
Once decoded, they produce the flag without having to log in at all.
For this challenge you are given a .pcap file for Wireshark:
If you follow the first TCP stream, there is a message that contains the flag:
BONUS: The riddle appears to be referencing Hedy Lamarr (Hedwig Eva Maria Kiesler). She helped invent a frequency hopping transmitter that was valuable to both secure military communications and mobile phone technology.
We are given a picture of Brie Larson as Captain Marvel, but this is actually a ruse.
The real file of interest is the text file that claims there is “Nothing Here”. There is obviously something there, because you are able to highlight it.
I ended up using stegsnow to solve this. It returned what appeared to be a string of Morse code:
Here we are given another .pcap file for Wireshark.
If you click through the TCP streams, you will see Madonna and Ella talking about how transferring a password here is not safe because it’s not encrypted. Eventually, on stream 13, Madonna relents:
That ends up having nothing to do with the flag though. On stream 16, there is what looks like a .png file.
You can change this to show the data as “raw” instead of ASCII, and save it as a .png on your computer.
That will produce the following QR code:
Use an online decoder to produce the flag:
Here we are given another web page to visit:
Biscuit is another word for cookie. If you check out the GET request, you can plainly see the flag in the request cookies:
For this one I just assumed it was called flag.txt, and it turns out I assumed correctly.
I’m not sure if this was the intended solution since it talks about needing a passcode and all of that, but I spotted the flag when I was looking through the program in a disassembler:
I ended up doing the same thing for the next challenge since I was right there.
BUT, the intended solution was to change the permissions and run it:
Joan Clarke is now well-known for her work with the Enigma, though she never sought much credit or attention for it while she was alive.
The challenge included a photo that shows you what settings you should use to decode the message:
Here we get an image of Pikachu!
If you use exiftool, you can see an encoded comment:
Decode using Base64:
This password can then be used with steghide to reveal the flag:
BONUS: The answer to the riddle is Radia Perlman, a computer programmer and network engineer. She invented the Spanning Tree Protocol (STP).
Here we have another simple webpage:
Since the challenge and webpage itself mentions robots, I headed over to the robots.txt page:
From here, you can make your way to that disallowed directory and grab the flag:
It looks like a bunch of new ones came out while I was asleep last night due to the time difference in India, so I unfortunately did not get to attempt those before the 24-hour time limit closed. Regardless though, I had a great time with this CTF and am hoping that they host it again next year.
Also, I just wanted to add in a special shout out to “emoji-gram”…
I have no idea what is even going on here, lol. If anyone who solved this is reading, please let me know.
