🚩 Flags
Flag is simply a string that acts as the proof of work for contestant who have solved a challenge. In Capture-The-Flag (CTF) contests, like the name suggests, the primary goal for the contestants is to somehow find out the flag for a challenge. A flag is often discovered upon exploiting some kind of vulnerability or knowing some property of computers.
Upon finding the flag either from file attachments of the challenge or from its vulnerable application instance deployed, the contestant must submit this flag value to its corresponding challenge.
A challenge can have multiple flags, and each flag shall have points associated with it. The total points for a challenge shall be the sum of points of all its flags.
Points
Each flag has points associated with it. The total points for a challenge shall be the sum of points of all of its active flags. The points for a flag can be changed at any time, and the total points for a challenge, as well as the points earned by contestants who submitted the flag earlier will be updated accordingly.
The platform also supports two types of point systems for a flag - static and dynamic decay.
Unlike some other CTF platforms, challenges are not assigned points directly. Instead, each of its flag is assigned points, that in turn adds up to determine the points for a challenge. This allows for more flexibility in assigning points to a challenge, giving granular control over the points for each flag the challenge may have.
If a challenge only has one flag, then the points for the challenge will be the same as the points for the flag. Otherwise, this system can be used to give more points for a flag that is harder to find etc.
Static Point System
If flags are set to have static points, then the points for a flag will not change over time, and will always be the value set by the author of the challenge.
It is usually recommended to use parabolic decay points system for challenges, as it reduces the bias of authors while setting the points for a flag, as through dynamic decay, the points for a flag will be algorithmically determined by the number of submissions for that flag - the more submissions, the less points. This way, the points for a flag will be more fair and unbiased, and be more representative of the difficulty of the challenge.
Parabolic Decay Point System
If the point system for a flag is set to Parabolic Decay
, then the points for a flag will be dynamically calculated
and updated every time a contestant submits the flag. With this system, the points for a flag will algorithmically
reduce as more participants submit the flag, and all participants who have previously submitted the flag will
have lowered points for that flag as well. Through this, an easier and more solved flag (or challenge) will naturally
have lower points compared to a harder and less solved flag (or challenge). This way, the points for a flag will be
more fair and unbiased, and be more representative of the difficulty of the challenge.
For each flag, the challenge author or the organizer can set the following parameters:
Max Points
: The maximum points for the flag, which is also its initial value. This value will be used as the starting point for the parabolic decay algorithm.MinPoints
: The minimum points for the flag. This value will be used as the ending point for the parabolic decay algorithm. The points for a flag will never go below this value.Submission Threshold
: The number of submissions for a flag after which the points for the flag will be reduced to the minimum points. This value will be used as the inflection point for the parabolic decay algorithm.
The points for a flag will be calculated, after each correct flag submission, using the following formula:
Algorithmically, the points for a flag will be calculated as follows:
points_after_solve_count = Math.ceil(
((min_points - max_points) / (solve_threshold ** 2))
* (solve_count ** 2)
+ max_points
)
Types of Flags
The platform supports creation of different types of flags, thus providing organizers or challenge authors with great flexibility in designing various kinds of interesting challenges for their CTF.
1. Static Flag
A simple string based flag that remains the same for every participant. Participants need to submit the exact value back to the platform.
2. Regex Flag
Regex flags allow organizers to accept a range of flag values matching a given regex pattern from participants. Participants shall not be informed of a regex pattern matching performed. To them, it would look like a static flag - though there could be multiple such potentials strings that may match the pattern and get accepted.
Only 1 submission will be accepted for a given regex flag of a challenge, regardless of whether the participant finds other matching strings for the flag and submits them. Therefore, this feature can be used to support challenges that need solve branching. When a participant follows a branch (say branch A) to arrive at a particular string (flag) matching the pattern and submits it, he/she cannot replay it in any other ending/branches - though they may give different string (flag) matching the pattern, as they match to the same regex flag as earlier flag it will be rejected as duplicate submission.
However, this feature should not be used for challenges that have multiple flags, each of which can be separately solved and given points for. In this case, organizers can use multiple static flags.
In case a challenge has more than 1 regex flag, to avoid conflicts, it is recommended to have mutually exclusive sets of regex patterns for each of it.
3. Unique Flag
Organizer can create flags where the actual value of the flag is auto-generated uniquely for each participant. Here, instead of providing the static value or regex pattern, the organizer provides the environment variable name wherein the actual value should be set. Dynamic flags require individual dynamic deployments associated with them (shared instance mode is not supported).
Whenever a participant spawns their instance of the challenge, an alphanumeric string is generated and set as the environment variable (the variable name will be as specified in flag setting) on it. This string encrypts participant and challenge metadata within it so that it remains unique for each participant and each challenge.
The flag value set in the environment variable is used by the author developed application code and is shown to the participant when the challenge is solved.
The flag is submitted to the platform, where it is decrypted and verified against metadata, and if valid, is accepted.
To learn more about Unique Flags, how to set them up etc. please refer to the Unique Flags documentation page.
Flag Format
Organizers can also set a flag format, which represents the structure of the flag, so that the participants can
know what the flag should look like. For example, a flag format of flag{.*}
means that the flag should start with
flag{
and end with }
. The .*
part means that anything can be in between the two.
A flag format is not required, but it is recommended to set one for each flag. This is because it helps the participants know what the flag should look like, and can also help brand the CTF challenges with the name of the CTF.
While entering static and regex flags, the organizer should enter the complete flag wrapped with the flag format. The platform will not check or wrap the provided or submitted value with the flag format. It is the responsibility of the organizer to ensure that the flag format is set correctly, and that the flag is correctly wrapped within the format and submitted.
However, for dynamic flags, the platform will automatically wrap the flag value it generates with the provided flag
format. If no flag format is provided, the platform will use the default flag format of flag{.*}
.
Explanation
Each flag can optionally have an explanation associated with it. Explanation is a markdown supported field, where organizers can add text, images and links. The explanation is shown to the contestant when they submit the flag, as a feedback.
The explanation can be used to:-
- highlight the vulnerability that the contestant exploited to find the flag,
- to explain the property of computers that the contestant used to find the flag,
- to recommend / suggest the next challenge to try / checkout.