Whether a learner or a teacher, in K-12, college or industry, picoCTF makes cybersecurity education fun and engaging
Sign Up
- Sign up for an account for picoCTF.org. You will
receive a confirmation email with a verification
link.
Sign Up - Verify your account via the confirmation email.
Get Connected
Discord Chat
We welcome you to join our picoCTF community Discord server. This server is intended for general conversation around picoCTF, team recruitment for competitors, discussion about picoCTF open-source development, or casual chat. This server is not intended for competition challenge help, and will not be monitored by problem developers. Spoilers or flag sharing during competition will be grounds for removal.
Request Discord invitepicoPrimer
Wonder what the shell is and how to use it? Maybe you haven’t thought about cryptography in ages and need a refresh? Revisit concepts you are familiar with or read something new to you in the picoPrimer. Authored by the picoCTF education team, the picoPrimer reviews cybersecurity principles used in our competition challenges. You do not need any additional software to read the picoPrimer or solve the challenges at the end of each chapter.
Start picoPrimerpicoGym
picoGym is a noncompetitive practice space where you can explore and solve challenges from previously released picoCTF competitions, find fresh never before revealed challenges, and build a knowledge base of cybersecurity skills in a safe environment.
Whether you are a cybersecurity professional, competitive hacker or new to CTFs you will find interesting challenges in the picoGym that you can solve at your own pace. Team picoCTF will regularly update this challenge repository so visit the picoGym often.
Practice in the picoGymRegister for a competition
picoCTF will be hosting mini-competitions and an annual US middle/highschool competition throughout the year. Make sure you register. You may see all upcoming competition events in your competitions tab once logged in to your picoCTF.org account.
Teams
After registering for a teamplay-enabled competition, you will have
access to the Teams Management page.
Here you may create or join a team. If you create a team, you should
share your Team Invite Code with potential team members.
To request approval to join a team, you must enter the correct code from
your Team Leader. You may only be on one team at a time.
After joining a team, you will no longer appear as an individual player
on any non-classroom scoreboards.
Teams may consist of 1-5 players, and may consist of players at different schools. To be eligible for prizes during competition period, all players on a team must be eligible. See the rules for each competition on eligibility. If the team leader approves the join request of a player ineligible for a certain competition then the whole team will become ineligible for that competition. Team leaders will be able to see any potential ineligibilities within each join request.
Team members share the same problem instances. Team Score consists only of challenges solved by team members. If you join a team after having made progress on your own, you can always go back and resolve challenges you previously solved while not in a team.
Team Leaders may kick inactive team members if they have not submitted any flags while on the team.
Classrooms
Teachers, club organizers, or other groups can create a classroom to track statistics of students’ progress. Classrooms may have multiple teachers and will feature its own scoreboard in addition to the public scoreboards.
Joining a Classroom
After completing registration for an event, you will have access to
the Classrooms management page.
Here, you may request to join classrooms by entering the correct
Classroom Invite Code obtained
from your classroom leader. You will be able to see the classroom
scoreboard after your classroom leader approves your request.
It is possible to join multiple classrooms — for example, one classroom representing your student club, another classroom representing your computer science class, as well as another classroom representing your entire high school or school district.
Leaving a Classroom
You may leave a classroom from the classroom management page and clicking the Leave Classroom button of the row corresponding to that class.
Sign Up
- Sign up for an account for picoCTF.org. You will
receive a confirmation email with a verification
link.
Sign Up - Verify your account via the confirmation email.
Get Connected
Discord Chat
We welcome you to join our picoCTF community Discord server. This server is intended for general conversation around picoCTF, team recruitment for competitors, discussion about picoCTF open-source development, or casual chat. This server is not intended for competition challenge help, and will not be monitored by problem developers. Spoilers or flag sharing during competition will be grounds for removal.
Request Discord invitepicoCTF Teachers' Forum
Join the picoCTF Teachers and Educators Forum, a place to exchange ideas, share stories and collaborate in any other manner towards teaching cybersecurity more effectively to the next generation.
Teachers can create a classroom to track statistics of students’ progress. Classrooms may have multiple teachers and will feature its own scoreboard in addition to the public scoreboards.
Create a Classroom
You may create classrooms from the Classroom
page after registering for an event. You will distribute the randomly
generated Classroom Invite Code
to allow your students or other teachers to request to join.
User Management
From your Classroom management page, you will be able to see the list of all active members, pending classroom join requests, and classroom leaders. You may approve or reject pending members. You may also remove previously approved classroom members.
Adding Additional Leaders to a Classroom
Once you have has created a classroom, other leaders may join that
classroom with the same Classroom invite
code
Once the user has joined the classroom, they will initially
appear in the Active Members list, with an action button option
to Promote the user to a classroom leader.
Batch Registration
Teachers may automatically generate user accounts for students, so as to not require each to register individually. A username and password will be created for each user, that the teacher can themselves distribute.
To use this feature, click the Batch Register button and fill out the demographic information for each set of accounts. You must then download and save the resulting spreadsheet of logins to distribute.
Classroom stats
In the Classroom page, you can view the progress of each user that has joined your classrooms. You can see a graph of progress by category compared to the class average, the list of challenge submissions, as well as any suspicious activities that may be cheat attempts, where one member attempts to input a flag that belongs to a different member or team.
Teachers may also export all members’ progress as a downloaded CSV file.
Suspicious Activity stats
There are multiple instances or versions of most problems, and each user or team is randomly assigned to one of them. If a user or team submits a correct flag that belongs to a different instance than they are assigned, this is a likely sign of a cheat attempt. If you have any questions about this feature, please contact us at educator@picoctf.org.
General FAQ
Hacking is all about curiosity, exploration, and deeply understanding how something works. Most people who identify as “hackers” are working very hard to protect people and to make technology easier and safer to use. Unfortunately, when most people hear or read about hacking in the news, the story is about people using hacking to do harm, but this couldn’t be further from the truth. Career-wise, people skilled in hacking are highly sought out by companies looking to strengthen their cybersecurity. Computer security experts are in very high demand today, and often are paid six-figure salaries.
CTFs (short for capture the flag) are a type of computer security competition. Contestants are presented with a set of challenges which test their creativity, technical (and googling) skills, and problem-solving ability. Challenges usually cover a number of categories, and when solved, each yields a string (called a flag) which is submitted to an online scoring service. CTFs are a great way to learn a wide array of computer security skills in a safe, legal environment, and are hosted and played by many security groups around the world for fun and practice.
There exist several other well-established highschool computer security competitions, including Cyberpatriot and US Cyber Challenge. These competitions focus primarily on systems administration fundamentals, which are very useful and marketable skills. However, we believe the proper purpose of a high school computer security competition is not only to teach valuable skills, but also to get students interested in and excited about computer science. Defensive competitions are often laborious affairs, and come down to running checklists and executing config scripts. Offense, on the other hand, is heavily focused on exploration and improvisation, and often has elements of play. We believe a competition touching on the offensive elements of computer security is therefore a better vehicle for ‘tech evangelism’ to students in American high schools. Further, we believe that an understanding of offensive techniques is essential for mounting an effective defense, and that the tools-and-configuration focus encountered in defensive competitions does not lead students to ‘know their enemy’ as effectively as teaching them to actively think like an attacker.
picoCTF is an offensively-oriented highschool computer security competition that seeks to generate interest in computer science among highschoolers: teaching them enough about computer security to pique their curiosity, motivating them to explore on their own, and enabling them to better defend their machines.
The name of the competition follows the Plaid Parliament of Pwning’s running tradition of using the letter P wherever possible.
Student FAQ
Minimally: how to think critically. Some familiarity with programming will be helpful, but many past participants of picoCTF have played with no programming experience and learned some programming along the way. Exposure to Python, HTML, JavaScript, and C (though Java syntax is close enough for this purpose) is ideal, but in no way required.
The competition can be done with just a web browser, but an SSH client (e.g. putty) can be helpful. Students are free to use other tools as well.
School network administrators may need to approve access or request pages/sites to whitelist for picoCTF.
Minimum Access Requirements:HTTP(S) site whitelist for:
https://picoctf.orghttps://play.picoctf.orghttps://picoctf.comhttps://2019game.picoctf.comhttps://2019shell1.picoctf.comhttps://2019shell2.picoctf.comhttps://2019shell3.picoctf.comhttps://2018game.picoctf.comhttps://2018shell4.picoctf.com
Suggested Access
- HTTP(S) site whitelist for
https://*.picoctf.com - HTTP(S) site whitelist for
https://*.picoctf.org - SSH (port 22) access for
*.picoctf.com - SSH (port 22) access for
*.picoctf.org
Optimal Access
- Unrestricted access to all ports on
*.picoctf.org - Unrestricted access to all ports on
*.picoctf.com
Reverse Proxy for challange problems
We have added a HTTPS reverse proxy for better access to web
challenge problems on 2018shell.picoctf.com.
Currently they are provisioned on numerous random, non-standard
ports (e.g. http://2018shell.picoctf.com:47428).
Understandably, this may be difficult for users on restricted-access
school networks that need explicit whitelisting.
To use the reverse proxy, modify the URL so that the port number is
appended to the end of
https://2018shell.picoctf.com/problem/
or
https://2019shell.picoctf.com/problem/.
In an example of the above, http://2018shell.picoctf.com:47428
becomes https://2018shell.picoctf.com/problem/47428/
Absolutely! Everyone is welcome. Depending on the competition, certain criteria such as US middle and high school enrollment is required for prizes, but we encourage teachers (and others!) to play.
We have a range of challenge difficulties. Students will be able to log in at any time and spend as much or as little time as they like during the competition period. Outside of the competition period, challenges are available in the picoGym to practice at any desired pace.
Each student will register individually. Afterwards, they can compete individually or form teams of up to 5 members.
Teacher FAQ
During competitions, our hope is that teacher sponsors will act primarily in a facilitator role, rather than a mentoring role. But we encourage teachers to help students with picoCTF in whatever way they see fit.
Absolutely! Everyone is welcome. Depending on the competition, only US middle and high school students may be eligible for prizes, but we encourage teachers (and others!) to play.
You can create a classroom and invite your students to join it. In your classroom dashboard, you will be able to see individual and aggregate progress stats. In addition, the scoreboard page will show a separate ranking of just your classroom members, alongside the existing public scoreboards. You may also export a a complete CSV of student stats. See the teacher User-Guide for more information on this feature.
No problem! Feel free to contact us and we would be happy to clarify anything for you.
We also invite you to join the picoCTF Teachers and Educators Forum, a place to exchange ideas, share stories and collaborate in any other manner towards teaching cyber-security more effectively to the next generation.