Open zardus opened 1 month ago
spencerpogo
commented
1 month ago Since technically you can set the flag to whatever you want in practice mode, this could be considered more of a discoverability problem. Maybe we could make this specific to only the AES challenges? We could have the challenge init script for AES challenges set it. Also ,maybe some punctuation like . or _ for readability.
ConnorNelson
commented
1 month ago I think it is a bug for any challenge to depend on the format (including length) of the flag. If you want a secret that has specific properties, generate that secret (and deterministically derive it from the flag if you want).
If we decide to change the format of the flag some day to include more metadata and it gets longer (for example, adding a timestamp), we cannot be constrained by what a challenge thinks the flag should look like. These things must be decoupled.
That being said, I would be in favor of the practice flag being user_id=0's flag, you submit it, the site tells you its a practice flag (and links you to some docs about practice mode).
zardus
commented
1 month ago I like this idea of an actual, generated flag for practice mode... The specific event that sparked this issue creation was a student attempting an AES byte-by-byte decryption challenge, and it worked great for the practice flag but didn't support some of the chars in our base64ed flags. So it's not the challenge that was flag-dependent, but the solution.
We should consider making the flag in practice mode something a bit more realistic, such as
pwn.college{PRACTICEfakeFLAGpracticeFAKEflagFaKeFlG}. This keeps the length realistic and makes, e.g., AES block splitting consistent between practice mode and real mode.