Understanding Flag Formats

beginner15 minWriteup

Common flag formats and how to find them

Learning Objectives

  • Recognize flag formats
  • Search for flags effectively
  • Handle encoded flags
  • Validate your findings

The ultimate goal in CTF challenges is finding the flag - a specially formatted string that proves you solved the challenge. Understanding flag formats helps you recognize when you've found something important!

Always check the CTF rules page for the exact flag format. Some CTFs use multiple formats or have special requirements like case sensitivity.

Common Flag Formats

1606070;"># Standard formats by platform:
2 
3606070;"># Generic CTF Format
4flag{th1s_1s_4_fl4g}
5FLAG{TH1S_1S_4_FL4G}
6 
7606070;"># picoCTF
8picoCTF{example_flag_here}
9 
10606070;"># HackTheBox
11HTB{example_flag_here}
12 
13606070;"># TryHackMe (varies by room)
14THM{example_flag_here}
15flag{example_flag_here}
16Or just a hash: a1b2c3d4e5f6...
17 
18606070;"># CTFtime competitions (varies)
19CTF{flag_content}
20CTFNAME{flag_content}
21 
22606070;"># DEFCON Quals
23OOO{flag_content}
24 
25606070;"># Google CTF
26CTF{flag_content}
27 
28606070;"># Real-world examples:
29flag{y0u_f0und_m3}
30picoCTF{b4s1c_fl4g_3x4mpl3}
31HTB{h4ck_th3_b0x_2024}
32FLAG{Welcome_to_CTF}

Case Sensitivity

Flag submissions are usually case-sensitive! Copy the flag exactly as found, including uppercase/lowercase letters and special characters.

Encoded Flags

Flags are often encoded or encrypted. Here's how to recognize common encodings:

bash
1606070;"># Base64 (ends with = or ==, uses A-Za-z0-9+/)
2ZmxhZ3t0aGlzX2lzX2Jhc2U2NH0=
3606070;"># Decode: echo "ZmxhZ3t0aGlzX2lzX2Jhc2U2NH0=" | base64 -d
4606070;"># Result: flag{this_is_base64}
5 
6606070;"># Hex (only 0-9 and a-f/A-F)
7666c61677b6865785f656e636f6465647d
8606070;"># Decode: echo "666c61677b6865785f656e636f6465647d" | xxd -r -p
9606070;"># Result: flag{hex_encoded}
10 
11606070;"># ROT13 (letters rotated by 13)
12synt{guvf_vf_ebg13}
13606070;"># Decode: echo "synt{guvf_vf_ebg13}" | tr 'A-Za-z' 'N-ZA-Mn-za-m'
14606070;"># Result: flag{this_is_rot13}
15 
16606070;"># URL Encoding (%XX format)
17flag%7Burl_encoded%7D
18606070;"># Decode: python3 -c "import urllib.parse; print(urllib.parse.unquote('flag%7Burl_encoded%7D'))"
19606070;"># Result: flag{url_encoded}
20 
21606070;"># Binary
2201100110 01101100 01100001 01100111
23606070;"># Use CyberChef "From Binary" operation
When you find suspicious-looking text, throw it into CyberChef and try the "Magic" operation. It automatically detects and decodes common encodings!

Finding Flags

bash
1606070;"># grep for common flag patterns
2grep -r 606070;">#a5d6ff;">"flag{" .
3grep -r 606070;">#a5d6ff;">"FLAG{" .
4grep -r 606070;">#a5d6ff;">"CTF{" .
5grep -rE 606070;">#a5d6ff;">"[A-Z]+\{[^}]+\}" .  # Generic pattern
6 
7606070;"># strings with grep
8strings file.bin | grep -i flag
9strings file.bin | grep -E 606070;">#a5d6ff;">"\{.*\}"
10 
11606070;"># In web challenges
12606070;"># Check HTML source (Ctrl+U)
13606070;"># Check JavaScript files
14606070;"># Check HTTP headers
15606070;"># Check cookies
16606070;"># Check hidden form fields
17 
18606070;"># In network captures
19strings capture.pcap | grep flag
20606070;"># Or filter in Wireshark: frame contains "flag"
21 
22606070;"># In images
23exiftool image.jpg | grep -i flag
24strings image.jpg | grep flag
25606070;"># Check for stego with steghide/zsteg

Systematic Flag Hunting

1
Check the ObviousSource code comments, page title, visible text
2
Check Hidden AreasCookies, headers, hidden form fields
3
Check FilesRun strings, binwalk, exiftool on any files
4
Decode Suspicious StringsUse CyberChef's Magic operation
5
Search Recursivelygrep -r "flag" . (including variations)

Common Hiding Places

1606070;"># Web Challenges
2606070;"># - HTML comments: <!-- flag{hidden_in_comment} -->
3606070;"># - robots.txt: Disallow lines might contain paths
4606070;"># - .git directory: Source code with secrets
5606070;"># - Backup files: .bak, .old, ~
6606070;"># - Environment variables
7606070;"># - Error messages (verbose mode)
8 
9606070;"># Binary Challenges
10606070;"># - Inside string tables
11606070;"># - XOR'd with a key
12606070;"># - Built character by character
13606070;"># - Decrypted at runtime
14 
15606070;"># Forensics Challenges
16606070;"># - File metadata (EXIF)
17606070;"># - Alternate Data Streams (Windows)
18606070;"># - Slack space
19606070;"># - Deleted files
20606070;"># - Memory dumps
21 
22606070;"># Crypto Challenges
23606070;"># - Decryption output
24606070;"># - Concatenated in pieces
25606070;"># - Multiple encoding layers
Don't overthink it! Challenge creators want flags to be findable. If you've been stuck for hours, step back and try the simplest approach again.

Validating Your Flag

1606070;"># Before submitting, verify:
2 
31. Format matches expected pattern
4   - Check for typos
5   - Check case sensitivity
6   - Include wrapper (flag{}, CTF{}, etc.)
7 
82. No extra whitespace
9   606070;"># Bad: "flag{test} " (trailing space)
10   606070;"># Bad: " flag{test}" (leading space)
11   606070;"># Good: "flag{test}"
12 
133. No URL encoding artifacts
14   606070;"># Bad: "flag%7Btest%7D"
15   606070;"># Good: "flag{test}"
16 
174. Complete flag
18   606070;"># Some challenges have multi-part flags
19   606070;"># Make sure you have the whole thing
20 
21606070;"># Quick cleanup in terminal:
22echo 606070;">#a5d6ff;">"  flag{test}  " | tr -d '[:space:]'
23 
24606070;"># Python cleanup:
25flag = 606070;">#a5d6ff;">"  flag{test}  ".strip()

Copy Carefully

When copying flags from terminals, be careful of line breaks and invisible characters. If submission fails, try typing the flag manually.

Quick Reference Regex

bash
1606070;"># Regex patterns for finding flags:
2 
3606070;"># Generic flag pattern
4grep -rE 606070;">#a5d6ff;">"[A-Za-z]+\{[^}]+\}"
5 
6606070;"># Specific CTF patterns
7grep -rE 606070;">#a5d6ff;">"flag\{[^}]+\}"
8grep -rE 606070;">#a5d6ff;">"FLAG\{[^}]+\}"
9grep -rE 606070;">#a5d6ff;">"picoCTF\{[^}]+\}"
10grep -rE 606070;">#a5d6ff;">"HTB\{[^}]+\}"
11grep -rE 606070;">#a5d6ff;">"THM\{[^}]+\}"
12 
13606070;"># Base64 encoded flags
14grep -rE 606070;">#a5d6ff;">"[A-Za-z0-9+/]{20,}={0,2}"
15 
16606070;"># Hex encoded flags
17grep -rE 606070;">#a5d6ff;">"[0-9a-fA-F]{20,}"
18 
19606070;"># MD5/SHA hashes (might be the flag itself)
20grep -rE 606070;">#a5d6ff;">"[a-f0-9]{32}"   # MD5
21grep -rE 606070;">#a5d6ff;">"[a-f0-9]{40}"   # SHA1
22grep -rE 606070;">#a5d6ff;">"[a-f0-9]{64}"   # SHA256

Knowledge Check

Quick Quiz
Question 1 of 2

Which of these is likely a Base64 encoded flag?

Key Takeaways

  • Always check the CTF rules for the exact flag format
  • Flags are often encoded - know Base64, Hex, and ROT13
  • CyberChef's Magic operation is your best friend for decoding
  • grep with regex helps find flags in files
  • Verify format and remove whitespace before submitting
  • Common hiding places: comments, headers, metadata, encoded strings