Don't mess with the flags. Flags in CTF are sacred. Modifying/Removing any flag will result in disqualification. Also, it's kind of a real dick move.
Don't mess with other things, either. The basic rule is if you didn't put it there, don't modify/remove it. If what you are about to do will change the game for other players, don't do it.
Scope. If it's not listed on the Targets page, then it ain't in scope! Easy Peasy.
No (online) brute force is necessary. None of the vulnerable services will require online brute force to login. Hydra, etc ARE NOT NECESSARY and may very well get you throttled. Besides, it's a waste of time. Dirb may prove useful. Most everything you need is staring you straight in the face.
john can be used for a couple of things, though not all. if rockyou.txt with rules doesn't find it, it wasn't meant to be.
You don't need root for everything here. Full compromise isn't necessary for some of the machines, just pay attention to the description and flag count.
Layer 2 is off-limits. Layer 2 attacks will result in immediate termination.
Leave the infrastructure alone. Same as Layer 2 attacks. Anything not clearly marked on the Targets page is off-limits.