The value of the flag on this one seems impossible to derive based on the instructions and the code.
So we discard the obvious bits - the variables “password” and “auth” aren’t referred to anywhere else in the code so we can toss those (and if you decode them you just get messages telling you to keep looking, so fair enough)
The loop at the end only checks the first character of your password and compares it to the first character of “chars”. If your password starts with that character then it says “Good Job”. I tried using that single character as the password part of my flag, no dice.
Okay, so let’s look at the entirety of what chars would contain if the loop wasn’t broken. Got that, big long string starts with u. Tried that in the flag, but it has {} in it so obviously that isn’t going to work, but it should be pretty easy to reverse back into something readable.
Reversed it into a human-readable string that talks about trolls. Great, that’s got to be it right? No, that doesn’t work as the password part of the flag either.
It’s not a decoded version of “keys”, nor a decoded version of “chains”. (note for the encoding/decoding - lock_pick is a red herring, the value of lock will always be the same if you do the math)
I eventually figured out what the flag had to be, but basically had to resort to hitting “submit” on the flag with bits and pieces of everything I could find in the code that could conceivably be the password. There’s no way I would have found it otherwise.
The premise of the challenge is interesting, but the instructions about the format of the flag are frustratingly misleading.
Hopefully I’ve made this post specific enough to complain but vague enough as to not be nuked by the mods. I don’t mention at all what the first part of the flag is, and I don’t specifically state what ends up being the second part of it… (but by process of elimination you might save yourself some frustration)