Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



48 Commits

Repository files navigation


A simple framework that helps to automate execution of exploits for attack-defense CTFs. CTFPWNng schedules execution of exploits for all available/reachable targets and stores flags in a Redis queue. It also handles periodic submission of flags to the gameserver.

An exploit has three properties:

  • Takes two positional arguments: an IP address and a port number of the target.
  • Prints flags to stdout: the framework will grep for flags in the stdout data, which can include one or more flags or even other data.
  • Is executable: an exploit can be written in any language or format as long as it is executable.

An exploit tries to get a flag/the flags from a single target system. The scheduling for all the other targets is handled by the framework.



Per-CTF configuration can be done in a local configuration file called Variables for the whole framework can be overwritten in Bash syntax. The following shows a configuration example for a RuCTFE:


Note: The _RUCTFE_TEAM_TOKEN is provided in the checker_token.txt file that is included in the team configuration.

Note: RuCTFE allows to submit flags either via TCP (default) or HTTP. The following variable can be set to use HTTP submission:




Note: A deployment example is available in the Vagrantfile. It is recommended to always run CTFPWNng inside of a VM.

Target Identification

The targets directory includes a wrapper script ( that runs Nmap scans on the target range in order to identify alive hosts. Before can be started, the script should run at least once to create a initial output file:

cd targets

This script should run regularly as a cronjob. The following example shows how to run the script every five minutes:

*/5 * * * * cd /home/user/ctfpwnng/targets && ./

Add Exploits

Adding a new exploit is as easy as copying the exploits/_template directory. The following example creates an exploit for a service called wood

cd ctfpwnng
cp -r exploits/_template exploits/wood

An exploit directory requires at least two files (already included in the exploits/_template directory):

  • service: A service definition file. This file must contain the _SERVICE_NAME and _SERVICE_PORT variables.
  • The exploit wrapper script that either includes or starts the actual exploit code. It is also responsible for calling the log_flags() function that will add flags to the Redis database.

Disable Exploits

Exploits can be disabled by either creating a .disabled file:

touch exploits/wood/.disabled

Or by preceeding the exploit directory name with an underscore:

mv exploits/wood exploits/_wood


Automation framework for attack-defense CTFs.






No releases published


No packages published