Thoughts on Flag Formats in CTF Challenges

In case you don’t know, I create some CTF challenges myself:

I always try to make sure it is clear what the solution has to look like. If I don’t make that clear, that’s usually because the format of the flag gives away too many details about it. So you probably have seen format’s like these:

  • CTF{…}
  • **** ***** / #.### € / DD.MM.YYYY
  • Firstname Lastname
  • Example: Paris, France

In challenges that are very technical or that involve multiple steps or working with systems of many parts, the format is usually given as “CTF{…}” where a flag would be “CTF{SomeRandomCharacters}”. The flag is enclosed in curly brackets to let players know when they found it. Without showing any flag format, players would be unsure when to stop looking once they jumped into the rabbit hole. And making the flag format more specific is often too difficult for these challenges or would be something like “the flag is the content of the file called flag.txt” which automatically reveals that such a file exists. However, one problem I see with this format is that players don’t know if they should submit the curly brackets too or just the content. The best practice would be to accept both as correct submissions, but usually, the brackets have to be submitted, too.

In challenges where the answers are outside of the control of the challenge creator, for example OSINT research questions, the answers and flag formats usually are arbitrary but often times human-readable and easier to make explicit in the challenge text without giving away too many details. But since the answer can not be enclosed in some curly brackets, the flag format has to be defined clearly. For example, the same question could be asked in many different ways:

  • What’s the full name of the first president of the USA?
  • Who was the first president of the USA? Format: Full name
  • What’s the name of the first president of the USA? Format: ****** **********
  • What’s the name of the first president of the USA? Format: Firstname Lastname
  • What’s the name of the first president of the USA? Example: John Adams

I personally try to incorporate the flag format into the question and redundantly state the flag format specifically. I don’t like arbitrary formats like “full name” because then players would not know if the middle name should also be submitted or only as an initial or not at all. Or maybe the person also has some title prepended to their name. That’s why I usually give the exact structure of the expected answer. I use placeholder characters when I want to make the challenge a bit easier or more difficult depending on the question. When the flag format would be too complicated, I sometimes just give an example that matches the correct answer. That’s often the case for addresses or names of places.

From what I’ve seen so far, giving an example is often the least confusing approach, but not always possible or not specific enough. It’s not possible when the answer is too unique and not specific enough when it could be interpreted differently, for example when the example name has a middle name but players assume it’s just a coincidence and don’t submit the middle name of the actual answer. Also, when giving an example, I try to use one that also matches some unique parts of the actual answer, for example in case the answer has an acute accent.

Another problem I often see with giving flag formats like “How much money does he have? Format: ### €” is that players are not sure if they should submit the given parts like the Euro sign, too, or just what would be replaced by the hashtag signs. For this, again, the best practice would be to accept both variants as correct.

To sum it up: I try (or will try) to give examples of what the flag should look like when possible. Otherwise, I will show the structure of the flag using replacement characters. In the latter case, I will try to also accept the case when only those parts are submitted that were replaced in the given format. Also, more often than not, it doesn’t hurt to just add a sentence describing the format.

A final thought which actually triggered this post: I see way too many amateur CTFs where an answer has to be enclosed in curly brackets only for submission. Like “What’s the name of the first president of the USA? Format: {Firstname Lastname}”. Please don’t do that. That kind of format serves no purpose but only confuses players.