Scenario CTF/* Flag Labels

[jeremytourville]

I built a few scenarios for a CTF event that was held recently. While users generally enjoyed the challenges I received some feedback was that there was mild frustration because flags were not numbered. When submitting a flag to the scoreboard users were unsure if they were submitting the 1st flag or the number ten flag. They had to submit a flag to all unsolved flags because the flags are not labeled which one is which. I attempted to solve this issue without success by editing the Vagrant and scenario files using find and replace. I matched a specific flag from the JSON file and replaced the flag with flag1{...., flag2{...., etc. Perhaps I am trying to edit the wrong files? Is there a way this can be accomplished at build time or have I overlooked something basic?

[cliffe]

Glad to hear you used SecGen for an event. I hope it otherwise went well!

We use our own scoring front end that doesn't require a specific flag to be submitted to a specific "question", but rather a system/VM. When I originally did the CTFd export support (which I've not really personally used since coding it) I did add a feature flag submission page so that flags could be submitted without knowing which CTFd challenge it was associated with. Does that help?

Alternatively, you can change the way flags are generated for the specific scenario, but could you please consider the above first.

[jeremytourville]

@cliffe Thanks for your comments. My question is- How do I give the flags a labe/numberl? I tried to figure it out within the code (Vagrantfile, scenario, etc) without success. My experience is that users generally expect flags to have a number or label for a CTF event. Perhaps others see it differently. Just my .02. Thanks!

[cliffe]

Two "easy" options: 1) Name the challenge by extracting the first few characters of the flag (for example, Challenge 1: efa1 -- flag{efa12eds3dsf} -- you could edit the way CTFd export works to automate that. The advantage of this approach is that it doesn't require any modification of existing scenarios.

2) Specify a flag generator in the scenario, that accepts multiple values https://github.com/cliffe/SecGen/tree/master/modules/generators/flag/flag_concat For example, something along the lines of:

<vulnerability read_fact="strings_to_leak" access="local" privilege="root_rwx">
    <input into="strings_to_leak">
        <generator type="concat_flag_generator">
            <input into="strings_to_join">
                <value>Challenge1</value>
                <generator module_path=".*/random_base64"/>
            </input>
        </generator>
    </input>
</vulnerability>

This does exactly what you want, but does mean the scenario needs to be modified this way.