The professional instance of CTFd ($100/month) allows administrators to write custom logic in order to determine if a submitted flag is valid. This shouldn't be difficult to replicate, and would enable much more flexible authoring capability.

With #2, it will be possible to replace a !placeholder! within an uploaded file. Most of the time, I expect this to be sufficient, but it should also be possible to take the placeholders as input to a administrator-provided script and use the output of that script as the unique file for that user.

As an example of why this could be useful, if a user is supposed to Caesar cipher their file to get the flag, a unique flag could be produced with a script like this:

# PLACEHOLDERS is provided by the unique_challenges plugin when evaling this code
# PLACHOLDERS = dict(flag_8='a'*8, flag_16='b'*16, flag_32='c'*32, name='name')
import string
def caesar(plaintext, shift):
    alphabet = string.ascii_lowercase
    shifted_alphabet = alphabet[shift:] + alphabet[:shift]
    table = str.maketrans(alphabet, shifted_alphabet)
    return plaintext.translate(table)

print(caesar(PLACEHOLDERS['flag_8'], 13))

Now when a user caesar decodes the flag and submits it, it will be accepted.

I'm not sure if there is any value in extending this to also let the description be generated programatically. I don't think there is.

Currently, the unique challenges plugin only supports replacing the !placeholder! values within the challenge description. This isn't sufficient for challenges that need more space for the challenge description.

For example, a challenge that explains how to use grep -v would ideally be able to upload a file created with something like this:

yes not this line | head -1231
echo '!flag_8!'
yes not this line | head -2347

Then tell participants to run grep -v "not this line" on the downloaded file to find their unique flag.

While the existing CTFd documentation for plugins was helpful when developing, it was not complete, there were still several questions left unanswered that I had to spend time reading the source to answer.

To make modifying this plugin as easy as possible, create a document describing the overall architecture of the plugin and go through the source to ensure methods are properly documented.

Apparently you can't paste images into wiki pages, so I'm using this as a workaround.

Right now, the unique challenges plugin makes a half-hearted effort to prevent users from submitting placeholders as flags.

This... doesn't work.

If the static flag for the challenge is !flag_8! and the user submits !flag_8!, it will be collapsed to the empty string. But if they submit !flag_!flag_8!8! it will be collapsed to !flag_8! and the user will have completed the challenge without having actually done the work.

This is detectable, the user's original input is saved as the correct submission, but it ideally should be prevented altogether.

There are a couple options:

1. Replace the placeholder with a specific non-empty string that administrators are informed of
2. Immediately reject any submission that contains a placeholder

The second option will completely prevent this issue. I think it is the best solution for the problem.

As it turns out, CTFd already has a "Requirements" tab that handles challenges depending on other challenges. Furthermore, the CTF as a whole can be time locked. However, this isn't sufficient for the stated goals.

Further, this doesn't support creating criteria on a section/individual basis. This is... tricky. I know architecture like Canvas that was built with this in mind has the capability, but doing it in such a way that it doesn't tank performance when you get more challenges is tricky. Ideally, I'd like to avoid making an extra database query for every challenge when viewing the challenges list. This might be unavoidable.

Unlike Canvas, CTFd doesn't have a concept of "sections". Everyone who registers for a CTF is competing in the same CTF. If different sections should have different challenges available at different times, it doesn't really make sense to put them all into the same CTF with the same leaderboard.

This could be done by creating "base" challenges which all other challenges depend on for each section, and giving out the flag to the base challenge in class the first day, but this feels like a hack. I think it makes more sense for the CTFd architecture if each class gets its own instance... unfortunately, this means that if a teacher is teaching multiple sections of the same class that have slightly different due dates, there will be a ton of duplication...

I am having some difficulty envisioning how this user interface should look... I could just provide a basic lisp-like interface (for ease of parsing) and a few functions, but while this would be usable for some administrators, it would be difficult for others to use.... If this is the chosen route, I think it should only be run when attempting to complete a challenge since it is potentially expensive to evaluate (6 database queries for the below condition)

(and
  (after "2019-02-20")
  (completed (find-challenge "Name"))
  (or
    (completed (find-challenge "Prereq"))
    (completed (find-challenge "alt-prereq"))))

Currently, the plugin calls abort(401), which prevents the admin from viewing the challenge.