Submitting Flags¶
This page covers the flag format you will see in challenges, where to submit, what happens when you get it right, and the rate-limiting behaviour that kicks in after repeated wrong attempts.
Flag format¶
Every flag on this platform looks like:
For example: GRIZZ{a3f2c1d4e5b6a7f8c9d0e1f2a3b4c5d6}
The prefix may differ
The organiser configures the prefix. GRIZZ is the default. Whatever prefix the event uses, the structure is always PREFIX{32 hex chars}.
Your flag is unique to your team¶
Flags are derived per principal (per team, or per solo player). The 32-character hex value inside the braces is an HMAC computed from the server's secret, your team's identity, and the challenge ID. Two different teams will receive two completely different strings for the same challenge.
This is by design and has a security consequence described in the next section.
Do not share your flag
Every wrong submission is checked against the flags of every other team. If you submit another team's flag — even as a mistake — the system logs a FLAG_SHARE_DETECTED or FLAG_REPLAY_DETECTED event in the tamper-evident audit chain, visible to the event organiser immediately.
You do not see this notification. The system silently records the evidence; organisers review it and may disqualify your team. There is no false positive: the math makes it cryptographically impossible for two teams to accidentally hold the same flag value.
See Anti-cheat overview for a full explanation of how detection works.
Where to submit¶
You can submit flags from two places:
Challenge list (/) — click a challenge card to open the detail page.
Challenge detail page (/<challenge-slug>) — the flag input field is at the bottom of the page. If you have already solved the challenge, the form is replaced with a "Solved" indicator.
Type or paste your flag into the field and click Submit (or press Enter).
What happens on a correct submission¶
- The platform verifies your flag using a constant-time comparison (no timing leak).
- A
Solverecord is written atomically — concurrent submissions from multiple team members cannot double-credit points. - Your principal's
score_totalis incremented by the challenge's point value. - The challenge card on the list page is marked as solved.
- The scoreboard updates to reflect your new score.
You will see a green flash message: "Correct! +N points!"
What happens on a wrong submission¶
You will see a red flash message: "Incorrect flag. Try harder."
Behind the scenes:
- A wrong-attempt counter is incremented in Redis for your team + this challenge.
- Your submission hash is checked against every other team's flags and against prior submissions from other teams. If a match is found, a critical audit event is written (see the warning above).
Rate limiting: wrong-attempt lockout¶
After 3 consecutive wrong attempts on the same challenge, you are locked out of submitting for 30 seconds.
During the lockout you will see:
"Too many wrong attempts. Try again in N seconds."
The counter resets automatically after the lockout expires or after a correct solve.
Defaults may be different for your event
The organiser can adjust the attempt limit and lockout duration. The values above are the defaults (FLAG_WRONG_LIMIT=3, FLAG_LOCKOUT_SECONDS=30).
Tips¶
- Copy-paste carefully. Leading or trailing whitespace is stripped automatically, but extra characters in the middle will fail.
- Check the prefix. If the challenge uses a non-default prefix the flag field should show a hint. Using
GRIZZ{...}when the prefix is something else will always fail. - Dynamic challenges. For challenges that require a lab instance, the flag is injected into your running container as an environment variable (
FLAG). Spawn the instance, find the flag inside the container (how depends on the challenge), then submit it on the challenge page. See WireGuard Setup if the container is on a VPN-isolated network. - Static file challenges. For challenges with downloadable files, the flag may be embedded in the file itself or derived from it — read the challenge description for hints.