Challenges
Challenges are puzzle-like, virtualized simulations of real-world cyber-security vulnerabilities & scenarios, and is created such that participants can discover those vulnerabilities and perform some exploits to find out the flag. This flag is submitted to claim the points. The challenges are usually categorized, assigned different levels of difficulty, and may have hints to help the participants.
Properties
🚩 Flags
Flags are the answers to challenges and are essentially a string of text that the participant finds after solving a challenge, which they then submit to the platform. Flag submissions are automatically judged and participants can see if they got the correct flag if they are awarded points for it. A challenge can have multiple flags, each of which can have different points associated with it.
Read more about flags here.
📎 Attachments
Read more about attachments here.
🌐 Deployment & Instances
Read more about deployment and instances here.
💡 Hints
Hints are usually provided to help participants solve challenges. A challenge can have multiple hints.
Read more about hints here.
🎏 Categories
Read more about categories here.
📜 Writeups
Writeups are solutions to a challenge that explains the strategies and steps to approach and solve the challenge. A challenge can have a writeup that is added by the organizer. The writeup is accessible to a contestant either when the contestant has solved the challenge by submitting at-least 1 correct flag or when the contest has ended.
⚙️ Settings
🔅 Is Active?
If a challenge is set to inactive, then contestants will not be able to submit their flags, view attachments or open deployments. They will still be able to view the challenge.
🙈 Private
A challenge can be made private, which means that it will be visible only to the organizers. Organizers can choose to make a challenge private or public at any time.
If a public challenge is made private, the submissions to the challenge will be unlisted from the scoreboard and the challenge page as well as the listing of the challenge will be taken down.
A private challenge will never be shown to the participants regardless of whether it is scheduled to be released, the CTF has ended, etc. Unless the challenge is made public, it will not be visible to anyone except the organizers with required permissions.
🚧 Maximum Submissions Limit
Organizers can set a maximum number of submissions that a contestant can make to a challenge. This is especially useful for simple challenges where contestants can bruteforce flags.
By default, the limit is left blank, and there is no limit, and the contestant can submit as many times as they want.
🕰 Scheduling Challenge Lifecycle
Challenges can be scheduled to be open and closed for contestants at a specific time.
Release Time - The time at which the challenge is made available to the contestants. Until this time, the challenge is not accessible or solvable by the contestants. This should be always set to a time in the future.
Revoke Time - The time at which the challenge submissions are closed to the contestants. After this time, the challenge instance/ attachments are not accessible and contestants cannot submit flags. This should always be set to a time in the future. If a challenge is revoked, it will still be visible to the contestants, but they will not be able to submit flags, download attachments or access deployments. This is similar to making a challenge inactive.
Regardless of scheduling settings, a challenge will not be visible to participants if it is set to private. You can ensure a challenge is scheduled, by looking at the state column in the challenges management page.
⛓ Prerequisite Challenges
A challenge can have prerequisite challenges. A prerequisite challenge is a challenge that must be solved before the current challenge can be accessed or solved. This is useful when a challenge is a follow-up to another challenge. This can be used to create trees of challenges that participants must go through to solve everything.
The prerequisite challenge would instruct the participants that solving it would unlock the locked challenge, and visiting the locked challenge page without solving the prerequisite challenge will ask the contestant to solve the prerequisite challenge first. Only the name, category and difficulty of the locked challenge is shown to the contestant until the prerequisite challenge is solved.
Further, when the prerequisite challenge is solved, the flag submission response will also show a link to the locked challenge like a recommendation or as the next challenge to try.
While this feature shall show recommend/suggest next challenge to solve after solving a challenge, it is not the only way to do so. You can also explicitly share a link to the next challenge to try or any other information, using the explanation field of the flag.
🛠 Managing Challenges
Read more about managing challenges here.