I’m working through the Starting Point machines and I’ve noticed that the flags for each challenge remain the same across instances, and over time.
Since you’re using docker to spin up instances, it should be possible in principle to create a new randomized flag for each instance for a challenge, pass it as a parameter to
docker run or however you spin up each instance, and store the flag externally (i.e. wherever you are storing the IP address of the machine for displaying on the challenge’s dashboard).
This reduces relying on community suppression of the flag string, and thus bolsters the strength of your ranking as a signal about the account owner’s actual ability to solve challenges.
For the Starting Point challenges, the walkthroughs typically have the flag value in them. If you randomize the flag, then the final question for each challenge (what is the flag?) will actually measure whether the user has followed the steps in the walkthrough. These challenges have questions targeting specific lessons in the walkthroughs, which serves a related purpose: did you either read the walkthrough or at least already know the lesson?
I am doing the challenges on a macbook, so while there is a lot of overlap in tools with Linux (assumed by walkthroughs), there are also some important differences (e.g. there is no
smbclient on osx, but there are analogous tools, like
smbutil) which I could have ignored if all I cared about were making it look like I’ve passed the challenge. With a randomized flag, I would not have passed the challenge without actually learning how to mount drives over the network using my own setup.