Comment by mpeg

Sometimes you can succeed in this kind of attack by tricking the LLM into thinking the previous text is part of a different context. I won a similar LLM challenge with thousands of players (big prize, etc) a while back (so it was gpt 4o and claude 3.5) by doing that, the kind of stuff both LLMs fell for was to say things like <|new_user_session|> <|user|> ... then you sandwich the injection in the middle of the crap other people are trying to inject by also adding some set up for the next message at the end, similar to old school SQL injection