What is a CTF?
CTFs (short for capture the flag) are a type of computer security competition. Contestants are presented with a set of challenges which test their creativity, technical (and googling) skills, and problem-solving ability. Challenges usually cover a number of categories (see below), and when solved, each yields a string (called a flag) which is submitted to an online scoring service. CTFs are a great way to learn a wide array of computer security skills in a safe, legal environment, and are hosted and played by many security groups around the world for fun and practice.
What is picoCTF?
Capture the Flag (CTF) competitions are traditionally targeted at college students or industry professionals. picoCTF is a CTF designed for younger students who might be interested in computer science or computer security. Our primary goal is to educate students on what computer security is about and to show how much fun this field can be.
The name of the competition follows the Plaid Parliament of Pwning's running tradition of using the letter P wherever possible.
Who is this for?
The competition was open to middle school and high school (6th - 12th grade) students from the United States, though the difficulty is targeted at the upperclassman high school level and even collegiate level.
With the competition now over, anyone is welcome to create a team and play through picoCTF 2014 for fun. Note that teams are still limited to 5 users.
We love computer science and more specifically computer security. However, computer security is a difficult field to get into, and those who are interested may find it hard to hone their skills legally. We plan to provide a way for students to learn what hacking is really about, what aspects of hacking might be of particular interest, and to show off their skills in a fun way. While traditional CTF competitions are awesome, they are not an ideal environment for students at the middle school to high school level. Competitors range from university teams to industry professionals, and competitions are not always friendly to those who are just starting out.
The internet! The competition will be available online indefinitely at this website. Wherever participants may physically play from, they may find it useful to have the ability install software and have unfiltered internet access.
The competition took place between October 27th 10:00 AM EST and November 7th 11:59 PM EST. Although the competition is now over, you can still play through the competition for fun! Head over to the registration form to create a new account.
Is picoCTF difficult?
Yes, but not too difficult! We have lots of challenges: some of them we expect just about every team to solve, some we expect no one to solve. If the competition is not tough, it will not be fun or educational either. With that said, our aim is for the bulk of the challenges we release to be within reach of high school students.
How can I prepare?
Don't panic! We are not expecting students to be well-versed in computer security, though we do recommend that students be comfortable with computer programming. As long as participants are interested, they should be able to learn something and have fun regardless of background.
While a large portion of picoCTF do not require any specific background knowledge, some of our challenges assume familiarity with particular programming languages. We recommend that each of the following languages is familiar to at least one member of each team:
- Reading C. The basics of Java and C are sufficiently similar that anyone in a Java-based computer science course should be fine in picoCTF.
- Using the UNIX command line.
There are also some ongoing wargame exercises which would excellent practice for picoCTF. Many of these get to be quite challenging; don't be discouraged if you find any of these too difficult.
What resources do I need to compete?
Full participation in the competition requires only a computer with a modern web browser (IE9+, Chrome, Firefox, Safari, etc.) and the ability to install applications. Installing applications may be necessary for the most difficult challenges, however. We expect many students will be more comfortable participating from personal laptops; this is encouraged if possible.
What topics will be covered?
Just about anything is fair game in Capture the Flag. Our high level categories are forensics, cryptography, reverse engineering, binary exploitation, web exploitation, and trivia. You should not feel discouraged if you don't know much about these topics; the whole point is to learn new things!
How do we win / how is this scored?
The competition is split into four levels. Level 1 is targeted at students with no programming experience but apt at using a computer. Level 2 is for students with introductory programming experience, perhaps in languages such as Visual Basic or Alice. Level 3 targets AP Computer Science students with a stronger background in programming. Level 4 features a diverse set of problems ranging from difficult to mind-bogglingly difficult.
A team need not solve every challenge in a level before unlocking the next level. The problems in each level have been designed such that a team can unlock new levels even while avoiding entire categories (e.g. cryptography).
Each level contains a set of problems worth a fixed number of points based on its difficulty. When you solve a problem, you send your answer (or 'key') to a scoring server, which adds the problem's value to your team's score. A team earns the respective number of points regardless of the progress of other teams. At the end of the competition the team(s) with the highest scores are the winners. Scores are calculated independent of time, but time will be used as a tie breaker.
What do we get if we win?
picoCTF 2014 had over $30,000 in prizes. Prizes for this year's competition have already been claimed and are currently being delivered to winning teams.
Are there any related competitions?
Along with picoCTF, there are several CTFs that are friendly to those just starting out in the field, as well as other computer-security related competitions for high school students:
- CSAW CTF a CTF targeted specifically at undergraduate level players
- HackYou a CTF targeted for first year students in Russia (and open to anyone)
- CSAW High School Cyber Forensics Challenge not a CTF, but requiring some similar skills. Previous challenges and resources are available here
picoCTF 2013 is also still available at 2013.picoctf.com. While the competition itself is closed, you can still solve the challenges and play the game.
Why only American teams?
Our goal is not at all to exclude anyone interested in learning about computer security. However, we think it is important to be able to keep track of who the participants are in our competition to better suit the challenges to their level. This requires that we are able to collect accurate data and associate each team with an academic institution. Unfortunately, the most feasible way for us to accomplish this is to require all participants be associated with a school located in the United States, so that we can verify their information. Note that you may still play in picoCTF as an international student (by selecting the appropriate country during registration), but you will not be eligible for prizes.
I'm not a highschooler; can I still play?
Yes! Anyone can play, but only eligible teams were able to win and receive prizes.
I'm homeschooled; can I still play?
Absolutely! In fact we have several homeschool teams who played in both picoCTF 2013 and 2014. Unfortunately, most homeschools will not be eligible for school prizes, but can still win team prizes.
I want to form a team with some friends who attend a different school or schools; is this ok?
Sure! While your team will not be eligible for school prizes, you will still be eligible for individual prizes.
What is the role of the teacher in this competition?
During the competition, our intent was for teacher sponsors to act primarily in a facilitator role, rather than a mentoring role. Now that the competition is over, we encourage teachers to help students with picoCTF 2014 in whatever way they see fit.
What constitutes cheating in this competition?
Attacking the scoring server, other teams, or machines not explicitly designated as targets is cheating. This includes both breaking into such machines and denying others access to them (for example, by altering a key or ping-flooding). Sharing keys or providing overly-revealing hints with other teams is cheating, as is being directly assisted by personnel outside the team (using tools from the internet is OK; asking people on the internet to help you solve the problem is not). We encourage you to solve problems in novel and creative ways using all available resources, but we do require that you solve them yourselves.
Does this competition condone hacking / have you considered the ethical implications of this competition?
Naturally, this depends on the definition of hacking. We encourage legally exploring computer systems and learning how the computer actually works; when we say hacking, this is what we mean. We do condone hacking in this sense; it harms no one, and cultivates knowledge and skill. We do not condone hacking in the sense that it is used by the news - breaking into machines illegally, stealing personal information, and launching denial of service attacks are illegal, and we do not encourage them.
Who is sponsoring this competition?
The primary sponsors of picoCTF are Trend Micro, Boeing, Qualcomm, the National Science Foundation (NSF), and the National Security Agency (NSA). Any opinions, findings, and conclusions or recommendations expressed in this material are those of PPP and do not necessarily reflect the views of the National Science Foundation, the National Security Agency or any other sponsor. Neither the NSF nor the NSA has any involvement in the production or management of picoCTF. No correspondence regarding the competition should be addressed to sponsors. Instead, please contact picoCTF directly.
What's happening with picoCTF 2013?
picoCTF 2013 is still available at 2013.picoctf.com. Both picoCTF 2013 and picoCTF 2014 will remain online indefinitely.
What's new this year?
We've added lots of cool features for this year's competition:
- Brand New Game: This year's competition is centered around a new interactive game. When your father disappears under strange circumstances, a flash drive is your only clue to his whereabouts. Can you solve the mystery before it's too late?
- New Tools for Teachers: picoCTF can be a great class activity. We've added new support for picoCTF in the classroom though Teacher Accounts which allow teacher to manage groups of participating teams.
- Achievements: As you progress in the game's story and in the competition in general, you may unlock achievements that you can share with your friends. Achievements are not involved in scoring; they're just for fun.
Are there any major rule changes this year?
The rules for picoCTF 2014 are effectively the same as the rules for picoCTF 2013.
How many people can be on a team?
Teams may have as many as five players or as few as one player.
Can I kick people off my team?
Currently, people cannot be kicked off your team. Team members can leave voluntarily, however, by disabling their account. To do this, log in and click "Account->Manage" from the menu bar at the top of the page. On that page, enter your current password and click "Disable Account." Note that this action is irreversible.
If you need assistance, please contact us and we can help you out.
I am a teacher/adviser. Do I need to create a Teacher Account?
Nope! Teacher Accounts are an entirely optional feature and in no way impact scoring or eligibility.
I am not a teacher. Can I create a Teacher Account?
Go for it! Teacher Accounts can be used to manage groups of teams in many scenarios, not just in the classroom. Keep in mind, however, that Teacher Accounts do not show up on the scoreboard and are not eligible for prizes.
What happened to the Group Scoreboards feature?
The Group Scoreboards feature, which was added to picoCTF 2013 several months after the competition, has been replaced by Teacher Accounts and Class Groups. You can still achieve the same behavior as Groups by creating a Teacher Account, adding a new class, then having all teams interested in sharing a scoreboard join that class.
Why didn't you answer my question?
Sorry! If you have other questions, please do not hesitate to contact us!
No Results Matched Your Search