Getting Started with picoCTF

CTFs (short for capture the flag) are a type of computer security competition. Contestants are presented with a set of challenges which test their creativity, technical (and googling) skills, and problem-solving ability. Challenges usually cover a number of categories, and when solved, each yields a string (called a flag) which is submitted to an online scoring service. CTFs are a great way to learn a wide array of computer security skills in a safe, legal environment, and are hosted and played by many security groups around the world for fun and practice.

There exist several other well-established highschool computer security competitions, including Cyberpatriot and US Cyber Challenge. These competitions focus primarily on systems administration fundamentals, which are very useful and marketable skills. However, we believe the proper purpose of a high school computer security competition is not only to teach valuable skills, but also to get students interested in and excited about computer science. Defensive competitions are often laborious affairs, and come down to running checklists and executing config scripts. Offense, on the other hand, is heavily focused on exploration and improvisation, and often has elements of play. We believe a competition touching on the offensive elements of computer security is therefore a better vehicle for ‘tech evangelism’ to students in American high schools. Further, we believe that an understanding of offensive techniques is essential for mounting an effective defense, and that the tools-and-configuration focus encountered in defensive competitions does not lead students to ‘know their enemy’ as effectively as teaching them to actively think like an attacker.

picoCTF is an offensively-oriented highschool computer security competition that seeks to generate interest in computer science among highschoolers: teaching them enough about computer security to pique their curiosity, motivating them to explore on their own, and enabling them to better defend their machines.

The name of the competition follows the Plaid Parliament of Pwning’s running tradition of using the letter P wherever possible.

Minimally: how to think critically. Some familiarity with programming will be helpful, but many past participants of picoCTF have played with no programming experience and learned some programming along the way. Exposure to Python, HTML, JavaScript, and C (though Java syntax is close enough for this purpose) is ideal, but in no way required.

The competition can be done with just a web browser, but an SSH client (e.g. putty) can be helpful. Students are free to use other tools as well.

School network administrators may need to approve access or request pages/sites to whitelist for picoCTF.

Minimum Access Requirements:

HTTP(S) site whitelist for:

• https://picoctf.org
• https://play.picoctf.org
• https://picoctf.com
• https://2019game.picoctf.com
• https://2019shell1.picoctf.com
• https://2019shell2.picoctf.com
• https://2019shell3.picoctf.com
• https://2018game.picoctf.com
• https://2018shell4.picoctf.com

Suggested Access

• HTTP(S) site whitelist for https://*.picoctf.com
• HTTP(S) site whitelist for https://*.picoctf.org
• SSH (port 22) access for *.picoctf.com
• SSH (port 22) access for *.picoctf.org

Optimal Access

• Unrestricted access to all ports on *.picoctf.org
• Unrestricted access to all ports on *.picoctf.com

Reverse Proxy for challange problems

We have added a HTTPS reverse proxy for better access to web challenge problems on 2018shell.picoctf.com. Currently they are provisioned on numerous random, non-standard ports (e.g. http://2018shell.picoctf.com:47428). Understandably, this may be difficult for users on restricted-access school networks that need explicit whitelisting. To use the reverse proxy, modify the URL so that the port number is appended to the end of https://2018shell.picoctf.com/problem/ or https://2019shell.picoctf.com/problem/.

In an example of the above, http://2018shell.picoctf.com:47428 becomes https://2018shell.picoctf.com/problem/47428/

Absolutely! Everyone is welcome. Depending on the competition, certain criteria such as US middle and high school enrollment is required for prizes, but we encourage teachers (and others!) to play.

We have a range of challenge difficulties. Students will be able to log in at any time and spend as much or as little time as they like during the competition period. Outside of the competition period, challenges are available in the picoGym to practice at any desired pace.

Each student will register individually. Afterwards, they can compete individually or form teams of up to 5 members.

During competitions, our hope is that teacher sponsors will act primarily in a facilitator role, rather than a mentoring role. But we encourage teachers to help students with picoCTF in whatever way they see fit.

Absolutely! Everyone is welcome. Depending on the competition, only US middle and high school students may be eligible for prizes, but we encourage teachers (and others!) to play.

You can create a classroom and invite your students to join it. In your classroom dashboard, you will be able to see individual and aggregate progress stats. In addition, the scoreboard page will show a separate ranking of just your classroom members, alongside the existing public scoreboards. You may also export a a complete CSV of student stats. See the teacher User-Guide for more information on this feature.

No problem! Feel free to contact us and we would be happy to clarify anything for you.

We also invite you to join the picoCTF Teachers and Educators Forum, a place to exchange ideas, share stories and collaborate in any other manner towards teaching cyber-security more effectively to the next generation.