What is Capture the Flag?

CTFs are a type of computer security competition. Certain pieces of information (called flags) are placed on servers, encrypted, hidden, or otherwise stored somewhere difficult to access. During the competition, different challenges are released which allow the participants to reverse engineer, break, hack, decrypt, and do whatever it takes to capture that flag. When a team submits this flag to a scoring page, they will get points. The challenges are all set up with the intent of being hacked, making it an excellent, legal way to get hands on experience.

What is picoCTF?

Capture the Flag (CTF) competitions are traditionally targeted at college students or industry professionals. picoCTF is a CTF designed for younger students who might be interested in computer science or computer security. Our primary goal is to educate students on what computer security is about and to show how much fun this field can be.

The name of the competition follows the Plaid Parliament of Pwning's running tradition of using the letter P wherever possible.

Who is this for?

This competition was open to middle school and high school (6th - 12th grade) students from the United States, though the difficulty is targeted at the upperclassman high school level and even collegiate level. Teams could be composed of 5 or fewer students and had to be associated with both a teacher/advisor and an academic institution.

There is no limitation on the number of teams which may compete per school.

Why?

We love computer science and more specifically computer security. However, computer security is a difficult field to get into, and those who are interested may find it hard to hone their skills legally. We plan to provide a way for students to learn what hacking is really about, what aspects of hacking might be of particular interest, and to show off their skills in a fun way. While traditional CTF competitions are awesome, they are not an ideal environment for students at the middle school to high school level. Competitors range from university teams to industry professionals, and competitions are not always friendly to those who are just starting out.

Where?

The internet! The competition will be available online at this website. Once the competition starts, teams will be able to log in and view the challenges using the team name and password provided at registration. If participants have forgotten their team name or password, a reset function will be available once competition opens. Wherever participants may physically compete from, they may find it useful to have the ability install software and have unfiltered internet access.

When?

The competition was held between April 26th 10:00 AM EST to May 6th 11:59 PM EST. Even though the competition is over, you can still play through picoCTF! The game is still available and will be indefinitely for anyone who wants to play through picoCTF and practice their hacking skills, just register on the registration page then login to start playing.

Will it be difficult?

Yes, but not too difficult! We will have a lot of challenges: some of them we expect just about every team to solve, some we expect no one to solve. If the competition is not tough, it will not be fun or educational either. With that said, our aim is for the bulk of the challenges we release to be within reach of high school students.

How can I prepare?

Don't panic! We are not expecting students to be well-versed in computer security, though we do recommend that students be comfortable with computer programming. As long as participants are interested, they should be able to learn something and have fun regardless of background. We will provide some training information before the competition starts, including sample challenges and writeups.

While a large portion of picoCTF won't require any specific background knowledge, some of our challenges will assume familiarity with particular programming languages. We recommend that prior to the competition each of the following languages is familiar to at least one member of each competing team.

  • JavaScript and HTML
  • Python
  • Reading C. The basics of Java and C are sufficiently similar that anyone in a Java-based computer science course should be fine in picoCTF.
  • Using the UNIX command line.

There are a lot of great web resources for leaning these languages and more about programming in general. You should google around to find an introductory tutorial that you like! As some starting recommendations: The official Python tutorial is excellent; Codecademy has tutorials for a variety of languages; Khan Academy's CS course is taught in JavaScript; Udacity's CS course is taught in Python; and Coursera and MIT OpenCourseWare have great full-length courses for most languages.

There are also some ongoing wargame exercises which would excellent practice for picoCTF. Many of these get to be quite challenging; don't be discouraged if you find any of these too difficult.

What resources do I need to compete?

Full participation in the competition requires only a computer with a modern web browser (IE9, Chrome, Firefox, Safari, etc.) and the ability to install applications. We expect many students will be more comfortable participating from personal laptops; this is encouraged if possible.

What topics will be covered?

Just about anything is fair game in Capture the Flag. Our high level categories are forensics, cryptography, reverse engineering, binary exploitation, web exploitation, and trivia. You should not feel discouraged if you don't know much about these topics; the whole point is to learn new things!

How do we win / how is this scored?

The competition is split into four levels. Level 1 is targeted at students with no programming experience but apt at using a computer. Level 2 is for students with introductory programming experience, perhaps in languages such as Visual Basic or Alice. Level 3 targets AP Computer Science students with a stronger background in programming. Level 4 features a diverse set of problems ranging from difficult to mind-bogglingly difficult.

A team need not solve every challenge in a level before unlocking the next level. The problems in each level have been designed such that a team can unlock new levels even while avoiding entire categories (e.g. cryptography). Once a team unlocks a level they will receive a certificate of completion for their progress.

Each level contains a set of problems worth a fixed number of points based on its difficulty. When you solve a problem, you send your answer (or 'key') to a scoring server, which adds the problem's value to your team's score. A team earns the respective number of points regardless of the progress of other teams. At the end of the competition the team(s) with the highest scores are the winners. Scores are calculated independent of time, but time will be used as a tie breaker.

What do we get if we win?

There will be three winning teams and three winning high schools. The teams with the three highest scores at the end of the competition will be the winning teams. A team is eligible to win if each member is individually eligible. An individual is eligible if they are attending a school in the United States and are a 6th to 12th grade student. The top three teams whose members all attend the same school will decide the winning schools. A winning team may attend a winning school, a winning school may host multiple winning teams, and a winning school may not have any winning teams, depending on the eligibility of the top teams. Please note that most homeschools do not qualify for school prizes.

Winning teams and schools will receive trophies, signed certificates, and t-shirts. Winning teams will receive cash prizes and winning schools will receive grants to their computer science programs. Please check out the about page for more details.

What about the AP CS exam?

We realize that picoCTF is shortly before AP exams this year. We carefully choose the dates so that students can be prepared to participate, but not overwhelmed with finals, SATs, APs, ACTs, state standardized testing, and everything else. A number of schools also end classes shortly after APs, and we wanted to ensure that our competition was held while schools were still in session.

Although our competition is 9 days long, we are not expecting teams to spend that entire time working on it. We hope that by leaving the competition open for a longer time, students and teachers could more easily find a day or two to work on it inside their busy schedules. We will also be making all of the problems and educational materials that we create available after the competition for those interested.

Are there any related competitions?

As far as we know, no one has ever tried a competition like this. However, there are a few CTFs which are more friendly to those just starting out in the field, or computer security related competitions for high school students:

Why only American teams?

Our goal is not at all to exclude anyone interested in learning about computer security. However, we think it is important to be able to keep track of who the participants are in our competition to better suit the challenges to their level. This requires that we are able to collect accurate data and associate each team with an academic institution. Unfortunately, the most feasible way for us to accomplish this is to require all participants be associated with a school located in the United States, so that we can verify their information. After the competition has completed, we will release our training materials and competition problems on the web so that anyone interested can make use of the resource. If you are an international student and register, you will not be eligible for prizes.

I'm not a highschooler; can I still play?

Yes! Anyone can play, but only eligible teams will be able to win and receive prizes.

I'm homeschooled; can I still play?

Absolutely! In fact we have several homeschool teams signed up already. Unfortunately, most homeschools will not be eligible for school prizes, but can still win team prizes.

I want to form a team with some friends who attend a different school or schools; is this ok?

Sure! While your team will will not be eligible for school prizes, you will still be eligible for individual prizes.

What is the role of the teacher in this competition?

Our intent is for teacher sponsors to act primarily in a facilitator role, rather than a mentoring role. Gathering and organizing the team, getting meeting rooms and hardware, and navigating bureaucratic hurdles are all within the purvue of the teacher. Directly aiding the team in solving problems, however, is problematic for fairness reasons across teams. We will provide educational material and will release hints as appropriate. Skilled teachers imparting knowledge on their students before the competition is highly encouraged, but we will require winning teams to sign affidavits certifying that they were not directly assisted by their teacher after the problems were released.

What constitutes cheating in this competition?

Attacking the scoring server, other teams, or machines not explicitly designated as targets is cheating. This includes both breaking into such machines and denying others access to them (for example, by altering a key or ping-flooding). Sharing keys or providing overly-revealing hints with other teams is cheating, as is being directly assisted by personnel outside the team (using tools from the internet is OK; asking people on the internet to help you solve the problem is not). We encourage you to solve problems in novel and creative ways using all available resources, but we do require that you solve them yourselves.

Does this competition condone hacking / have you considered the ethical implications of this operation?

Naturally, this depends on the definition of hacking. We do condone legally exploring computer systems and learning how the computer actually works; when we say hacking, this is what we mean. We do condone hacking in this sense; it harms no one, and cultivates knowledge and skill. We do not condone hacking in the sense that it is used by the news - breaking into machines illegally, stealing personal information, and launching denial of service attacks are illegal, and we do not encourage them.

Who is sponsoring this competition?

The primary sponsor of picoCTF was the National Security Agency (NSA). The National Security Agency does not endorse picoCTF or PPP in any way. The NSA has no involvement in the production or management of picoCTF. No correspondence regarding the competition should be addressed to the NSA. Instead, please contact picoCTF directly.

Why didn't you answer my question?

Sorry! If you have other questions, please do not hesitate to contact us!