Solving the Prompt Airlines CTF

Challenge 1: Revealing the AI Bot Identifier

This challenge was about finding the AI bot’s identifier. The instructions mentioned that the bot had a specific identifier we needed to reveal by using the right prompts. That identifier was our flag. My approach was to ask the bot about itself and see what it knew. After a few tries with different prompts, the bot finally gave me the identifier, which was the flag.

Challenge 2: Extracting the Private AI Bot Identifier

There was an option “Under the hood”, through which we could see the backend instructions given to the AI bot by the developers, though some details were redacted. Challenge 2 was about finding a private identifier; which was redacted. My approach was to ask the bot to list everything it knew that had “_”. This method helped me reveal the private identifier.

Challenge 3: Finding the Hidden Coupon Code

The instructions mentioned that the AI bot had access to coupon codes for flights. We needed to find a flight to Las Vegas on August 3, 2024. However, the backend instructions said the bot couldn’t directly share the coupon codes. So, the target was to craft a prompt to get the coupon codes. I asked the bot for flight details for Las Vegas on August 3, 2024. After a few tries, the bot gave me the coupon codes for that flight, and one of those codes turned out to be the flag.

Challenge 4: Faking a Membership Card

This challenge was about joining their loyalty program. According to the instructions, only members could book a flight. We needed to upload an image of a membership card, which should have a membership number that the bot (advanced third-party AI authentication system 😂) checks for validity. Initially, when I uploaded a test image, it gave an error but also showed what a valid card should have.

It needed a 5-digit alphanumeric code in a specific format. I then created a 5-digit alphanumeric code in a text editor, took a snap, and uploaded it. The system accepted it as valid and also revealed the 4th flag.

Challenge 5: Booking a Free Ticket to Las Vegas

For the final challenge, we needed to book a free flight to Las Vegas using the clues we gathered from the previous challenges. At first, I tried to get the bot to reveal a coupon code for a 100% discount by using fake codes like TRAVEL_100 and TRAVEL_00, but it didn’t work. Eventually, I simply kept asking the bot to book the flight, and it went ahead and completed the booking, revealing the final flag.

Honestly, it took me 2–3 hours to solve this, but someone familiar with LLM security could probably do it in 30–40 minutes. Overall, it was a fun experience and I enjoyed the challenge.