picoCTF logo
  • Get Started
  • Learn
    Resources
    Community
    Primer
  • Practice
  • Compete
    Past Competitions
  • About
    About picoCTF
    Sponsorship
    Contact Us
  • Log In
CMU logo

Getting Started with picoCTF

Whether a learner or a teacher, in K-12, college or industry, picoCTF makes cybersecurity education fun and engaging

  • User Guide
  • FAQ

I am a:


  • Learner

  • Teacher

Sign Up

  1. Sign up for an account for picoCTF.org. You will receive a confirmation email with a verification link.

    Sign Up
  2. Verify your account via the confirmation email.

Get Connected

Discord Chat

We welcome you to join our picoCTF community Discord server. This server is intended for general conversation around picoCTF, team recruitment for competitors, discussion about picoCTF open-source development, or casual chat. This server is not intended for competition challenge help, and will not be monitored by problem developers. Spoilers or flag sharing during competition will be grounds for removal.

Request Discord invite.

picoPrimer

Wonder what the shell is and how to use it? Maybe you haven’t thought about cryptography in ages and need a refresh? Revisit concepts you are familiar with or read something new to you in the picoPrimer. Authored by the picoCTF education team, the picoPrimer reviews cybersecurity principles used in our competition challenges. You do not need any additional software to read the picoPrimer or solve the challenges at the end of each chapter.

Start picoPrimer

picoGym

picoGym is a noncompetitive practice space where you can explore and solve challenges from previously released picoCTF competitions, find fresh never before revealed challenges, and build a knowledge base of cybersecurity skills in a safe environment.

Whether you are a cybersecurity professional, competitive hacker or new to CTFs you will find interesting challenges in the picoGym that you can solve at your own pace. Team picoCTF will regularly update this challenge repository so visit the picoGym often.

Practice in the picoGym

Register for a competition

picoCTF will be hosting mini-competitions and an annual US middle/highschool competition throughout the year. Make sure you register. You may see all upcoming competition events in your competitions tab once logged in to your picoCTF.org account.

Classrooms

Teachers can create a classroom to track statistics of students’ progress. Classrooms may have multiple teachers and will feature its own scoreboard in addition to the public scoreboards.

Joining a Classroom

Updated classroom instructions forthcoming...

Sign Up

  1. Sign up for an account for picoCTF.org. You will receive a confirmation email with a verification link.

    Sign Up
  2. Verify your account via the confirmation email.

Get Connected

Discord Chat

We welcome you to join our picoCTF community Discord server. This server is intended for general conversation around picoCTF, team recruitment for competitors, discussion about picoCTF open-source development, or casual chat. This server is not intended for competition challenge help, and will not be monitored by problem developers. Spoilers or flag sharing during competition will be grounds for removal.

Request Discord invite.

picoCTF Teachers' Forum

Join the picoCTF Teachers and Educators Forum, a place to exchange ideas, share stories and collaborate in any other manner towards teaching cybersecurity more effectively to the next generation.

Teachers can create a classroom to track statistics of students’ progress. Classrooms may have multiple teachers and will feature its own scoreboard in addition to the public scoreboards.

Create a Classroom

Updated classroom instructions forthcoming...

Updated classroom instructions forthcoming...

Classroom stats

In the Classroom page, you can view the progress of each team that has joined your classes. You can see a graph of progress by category compared to the class average, the list of problems solved by each time, as well as any potential cheat attempts, where one team attempts to input a flat that belongs to a different team.

Teachers may also export all the teams’ progress as a downloaded CSV file.

Suspicious Activity stats

There are multiple instances or versions of most problems, and each user or team is randomly assigned to one of them. If a user or team submits a correct flag that belongs to a different instance than they are assigned, this is a likely sign of a cheat attempt. If you have any questions about this feature, please contact us at educator@picoctf.org.

General FAQ

Hacking is all about curiosity, exploration, and deeply understanding how something works. Most people who identify as “hackers” are working very hard to protect people and to make technology easier and safer to use. Unfortunately, when most people hear or read about hacking in the news, the story is about people using hacking to do harm, but this couldn’t be further from the truth. Career-wise, people skilled in hacking are highly sought out by companies looking to strengthen their cybersecurity. Computer security experts are in very high demand today, and often are paid six-figure salaries.

CTFs (short for capture the flag) are a type of computer security competition. Contestants are presented with a set of challenges which test their creativity, technical (and googling) skills, and problem-solving ability. Challenges usually cover a number of categories, and when solved, each yields a string (called a flag) which is submitted to an online scoring service. CTFs are a great way to learn a wide array of computer security skills in a safe, legal environment, and are hosted and played by many security groups around the world for fun and practice.

There exist several other well-established highschool computer security competitions, including Cyberpatriot and US Cyber Challenge. These competitions focus primarily on systems administration fundamentals, which are very useful and marketable skills. However, we believe the proper purpose of a high school computer security competition is not only to teach valuable skills, but also to get students interested in and excited about computer science. Defensive competitions are often laborious affairs, and come down to running checklists and executing config scripts. Offense, on the other hand, is heavily focused on exploration and improvisation, and often has elements of play. We believe a competition touching on the offensive elements of computer security is therefore a better vehicle for ‘tech evangelism’ to students in American high schools. Further, we believe that an understanding of offensive techniques is essential for mounting an effective defense, and that the tools-and-configuration focus encountered in defensive competitions does not lead students to ‘know their enemy’ as effectively as teaching them to actively think like an attacker.

picoCTF is an offensively-oriented highschool computer security competition that seeks to generate interest in computer science among highschoolers: teaching them enough about computer security to pique their curiosity, motivating them to explore on their own, and enabling them to better defend their machines.

The name of the competition follows the Plaid Parliament of Pwning’s running tradition of using the letter P wherever possible.

Of course! You may download and print our brochure and flyer. Be sure to write in your name and information in the blank on the flyer so students know who to talk to to get involved.

Student FAQ

Minimally: how to think critically. Some familiarity with programming will be helpful, but many past participants of picoCTF have played with no programming experience and learned some programming along the way. Exposure to Python, HTML, JavaScript, and C (though Java syntax is close enough for this purpose) is ideal, but in no way required.

The competition can be done with just a web browser, but an SSH client (e.g. putty) can be helpful. Students are free to use other tools as well.

School network administrators may need to approve access or request pages/sites to whitelist for picoCTF.

Minimum Access Requirements:

HTTP(S) site whitelist for:

  • https://picoctf.org
  • https://play.picoctf.org
  • https://picoctf.com
  • https://2019game.picoctf.com
  • https://2019shell1.picoctf.com
  • https://2019shell2.picoctf.com
  • https://2019shell3.picoctf.com
  • https://2018game.picoctf.com
  • https://2018shell4.picoctf.com

Suggested Access

  • HTTP(S) site whitelist for https://*.picoctf.com
  • HTTP(S) site whitelist for https://*.picoctf.org
  • SSH (port 22) access for *.picoctf.com
  • SSH (port 22) access for *.picoctf.org

Optimal Access

  • Unrestricted access to all ports on *.picoctf.org
  • Unrestricted access to all ports on *.picoctf.com

Reverse Proxy for challange problems

We have added a HTTPS reverse proxy for better access to web challenge problems on 2018shell.picoctf.com. Currently they are provisioned on numerous random, non-standard ports (e.g. http://2018shell.picoctf.com:47428). Understandably, this may be difficult for users on restricted-access school networks that need explicit whitelisting. To use the reverse proxy, modify the URL so that the port number is appended to the end of https://2018shell.picoctf.com/problem/ or https://2019shell.picoctf.com/problem/.

In an example of the above, http://2018shell.picoctf.com:47428 becomes https://2018shell.picoctf.com/problem/47428/

Absolutely! Everyone is welcome. Depending on the competition, certain criteria such as US middle and high school enrollment is required for prizes, but we encourage teachers (and others!) to play.

We have a range of challenge difficulties. Students will be able to log in at any time and spend as much or as little time as they like during the competition period. Outside of the competition period, challenges are available in the picoGym to practice at any desired pace.

Each student will register individually. Afterwards, they can compete individually or form teams of up to 5 members.

Teacher FAQ

During competitions, our hope is that teacher sponsors will act primarily in a facilitator role, rather than a mentoring role. But we encourage teachers to help students with picoCTF in whatever way they see fit.

Absolutely! Everyone is welcome. Depending on the competition, only US middle and high school students may be eligible for prizes, but we encourage teachers (and others!) to play.

You can create a classroom and invite your students to join it. In your classroom dashboard, you will be able to see individual and aggregate progress stats. In addition, the scoreboard page will show a separate ranking of just your classroom members, alongside the existing public scoreboards. You may also export a a complete CSV of student stats. See the teacher User-Guide for more information on this feature.

No problem! Feel free to contact us and we would be happy to clarify anything for you.

We also invite you to join the picoCTF Teachers and Educators Forum, a place to exchange ideas, share stories and collaborate in any other manner towards teaching cyber-security more effectively to the next generation.

CMU Logo INI Logo CyLab Logo PPP Logo
Facebook logo Twitter logo Discord logo
© Carnegie Mellon University 2021
Use of this site is governed by the Privacy Statement and Terms of Service.