I don’t really have much experience with CTF (I’ve played my first one in August 2024 and it was a trivial one), but I guess things end up like they end up. Just some thoughts on the matter someone might find useful or really damn stupid.
If I leaked something important @ me on Discord or somesuch.
UPDATE 04.01.2026: More notes
General
- You’re probably gonna run into Skill Issue® sooner or later (in my case I run into Skill Issue immediately)
- Maybe contextswitch to a different chal then, doing nothing isn’t good
- Distracting teammates from their doings is a bad idea
- AI is helpful for a lot of things, but is unlikely to solve challenges for you (maybe I need to get the paid versions~)
- AI is good at giving you a general idea of what is supposed to be done in the challenge
- UPDATE: With proper prompting and given tooling, AI can be really good at solving weaker challenges
- It can, however, get stuck on silly things or prefer silly approaches
Jeopardy
- Probably the most common, seeing as it’s far easier to host than A/D
- Easier to practice solo
- Best to focus on your categories when in team
- Can be a lot of new stuff you haven’t had experience yet, but a lot of times there’ll be more generic chals too
Pwn specific
- A lot of challenges will follow some general playbook
- ROP/general stack buffer overflow, heap, Linux kernel module, Windows driver, QEMU device…
- Mix and match
- Best to recognize playbook and have an idea of what is needed for exploit
- AI can help with playbook recognition and writing PoC exploit, agent + your favorite static analysis tool’s MCP
- As with rev, sometimes it’s a better option to just dump the binary into ChatGPT window
- However, AI can get confused and say there’s no way to solve X (could potentially be defeated by better prompting or more tooling like Libdebug instrumentation)
- For Linux chals pwndbg is your friend
- For Windows? Haven’t had many Win pwns, but x64dbg for userspace is good, kd is the only opt for kernelspace
- Pwntools is VERY useful
Rev specific
- Organizers really like their VMs
- Z3 & Angr are your friends, but aren’t perfect - just sticking challenge binary into Angr and expecting a result probably won’t work
- AI can reverse… to a point, but it can get confused easily - this is mostly solved with a better model and better prompting
- Sometimes just dropping the binary into ChatGPT will work better than a fancy MCP
A/D
- Pain in the ass to practice (preferably a bunch of people onsite, but people are Busy™)
- Infra people = gods
- Some services get exploited very early, others either extremely late into A/D or don’t get exploited at all (Faust25 birthday-melody & nom - didn’t get exploited barring firstblood, ECSC2025 Heavensent - only started getting exploited extremely late in CTF)
- Exploit timeline (source: my ass):
- Web & co (maybe SQLi, maybe PHP RCE stuff…)
- Crypto/Obscure language stuff (Cobol, for instance?)
- Rev/pwn (generally hard to exploit & patch)
- Services usually have multiple exploit pathways (service can have both web & pwn, for instance) or combine categories (rev/obscure language, for instance - hi Angelscript!)
- Monitoring Tulip for your services is a good idea, but not all services necessarily have anything meaningful there
- AI to summarize codebase/autogenerate potential exploits has potential, but my current way does not work for larger services and is not efficient
- Proper AI code analysis tooling like ZeroPath has potential, but very expensive & overkill for CTF