What is picoCTF?
picoCTF is a free cybersecurity competition created by Carnegie Mellon University. It runs annually and is open to everyone -- students, hobbyists, career changers, and professionals alike. More than 100,000 people participate each year, making it one of the largest CTF competitions in the world. The challenges are graded by difficulty and cover six core categories that map directly to real-world cybersecurity domains.
CTF stands for Capture the Flag. Each challenge hides a secret string called a flag, typically formatted as picoCTF{…}. Your job is to solve the challenge -- whether that means decoding a cipher, analyzing a file, exploiting a web app, or reverse engineering a binary -- and submit the flag to earn points.
You do not have to wait for the annual competition. The picoGym is the permanent practice platform where every past picoCTF challenge is available year-round. It is where most people actually learn -- there is no time pressure, and you can work through challenges at your own pace across all six categories.
This guide covers everything you need to start competing: how to set up your environment, what each of the six challenge categories involves, the recommended order to learn them, a practical methodology for each one, and beginner-friendly challenges to try first in every category.
Setting Up Your Environment
picoCTF challenges are solved from a Linux command line. The good news is that you have two options, and the easier one requires zero installation.
Option 1: The picoCTF Webshell (recommended for beginners)
After creating your account at picoctf.org, you get access to a browser-based Linux terminal called the Webshell. It is a full Ubuntu environment with most of the tools you need pre-installed. You can open files, run commands, and solve challenges entirely in your browser without installing anything. Start here if you are new to Linux or just want to get to solving challenges as fast as possible.
Option 2: Local Linux environment
A local setup gives you more control and lets you install any tool you want. On Windows, install WSL2 (Windows Subsystem for Linux) and run Ubuntu. On macOS, use the built-in terminal or install a VM. Dedicated CTF distributions like Kali Linux and Parrot OS come with many tools pre-installed, but a plain Ubuntu install works fine if you add what you need.
Essential tools to install
These tools cover the vast majority of picoCTF challenges across all categories. Install them with a single command on Debian/Ubuntu:
sudo apt update && sudo apt install -y \python3 python3-pip binutils binwalk steghide \exiftool wireshark-cli foremost file netcat-traditional# pwntools for binary exploitationpip3 install pwntools# Ghidra for reverse engineering (download from ghidra-sre.org)
One tool you do not need to install at all is CyberChef -- it runs entirely in the browser and handles encoding, decoding, hashing, and dozens of transformations without any setup. It is one of the most-used tools in CTF. The tools section of this site also offers browser-based utilities for common operations: base64 decoding, ROT ciphers, frequency analysis, hex viewing, RSA calculations, and more.
You do not need everything installed on day one
Install what you need when you need it. Start with the Webshell, solve some General Skills challenges, and add tools as specific challenge types demand them. The tools list above is comprehensive -- you will not use all of it on your first session.
The 6 Challenge Categories
Every picoCTF challenge falls into one of six categories. Each maps to a real cybersecurity domain, and each requires a different skillset and toolset. Here is what each one involves:
General Skills
Linux command line, file inspection, encoding and decoding, SSH, and scripting. The foundation everything else builds on.
Cryptography
Classical ciphers, encoding schemes, and modern algorithms like RSA and AES -- usually with intentional weaknesses to exploit.
Forensics
Recovering hidden data from files, images, network captures, and metadata. Tools like Wireshark, steghide, and exiftool.
Web Exploitation
Finding and exploiting vulnerabilities in web applications: SQL injection, cookie manipulation, path traversal, and more.
Reverse Engineering
Analyzing compiled programs without source code using strings, Ghidra, and GDB to understand what they do and recover flags.
Binary Exploitation
Exploiting memory corruption vulnerabilities -- buffer overflows, format strings, heap bugs -- to hijack program execution.
The categories vary significantly in difficulty. General Skills and Cryptography are the most accessible entry points. Binary Exploitation is the hardest and requires knowledge built in the other categories first.
Recommended Learning Path
The order you tackle categories matters. Each one builds on skills from the previous, and jumping ahead creates gaps that make harder challenges frustrating instead of fun. Here is the order that works best for most beginners:
- General Skills -- Learn the Linux command line, file inspection commands, encoding basics, and SSH. Every other category uses these tools. Do not skip this.
- Cryptography -- Learn to identify cipher types, decode encoded data, and exploit weaknesses in classical and modern crypto. The encoding concepts overlap heavily with what you just learned in General Skills.
- Forensics -- Learn to analyze files at the byte level, extract hidden content, inspect metadata, and read network captures. The file inspection skills from General Skills apply directly here.
- Web Exploitation -- Learn to think like an attacker against web applications. No assembly knowledge required -- just a browser, DevTools, and Burp Suite.
- Reverse Engineering -- Learn to analyze compiled binaries using
strings,ltrace, and Ghidra. This is where Linux comfort from General Skills and analytical thinking from the earlier categories pay off. - Binary Exploitation -- Learn memory corruption attacks. This requires comfort with Reverse Engineering and basic C. Save it for after you have a solid foundation in the other five categories.
You do not have to exhaust one category before starting the next. A good approach is to work through the easiest challenges in General Skills and Cryptography, then try some Forensics and Web Exploitation challenges, and gradually work harder in each category. The learning paths on this site sequence challenges within each category from easiest to hardest.
Use the picoGym to practice year-round
The annual competition runs for a few weeks, but the picoGym is always open. Every past picoCTF challenge from 2019 onward is available for practice. Working through past competitions is the most effective way to improve before the next competition starts.
General Skills: Start Here
If you are new to picoCTF, General Skills is where you should begin. These challenges teach the foundational toolkit that every other category builds on -- Linux command-line navigation, file inspection, encoding and decoding, SSH connections, and light scripting. Before you can reverse a binary or crack a cipher, you need to be comfortable in a terminal.
The category name undersells it a bit. "General Skills" really means "things every CTF player does automatically." Spending a few hours here pays dividends across Forensics, Reverse Engineering, Binary Exploitation, and Cryptography challenges for years to come.
The three-command methodology
Whenever a challenge hands you an unknown file, run these three commands in order before doing anything else:
file mystery_file-- asks the OS what the file actually is. A ".txt" extension means nothing;filereads the magic bytes and tells you the truth.strings mystery_file-- dumps every printable ASCII string inside the file. Flags, hints, and hardcoded passwords all show up here more often than you would expect.cat mystery_fileorxxd mystery_file | head-- read the raw content. Usexxdwhen the file is binary and you want to see the hex.
That three-step habit alone solves a meaningful chunk of beginner General Skills challenges. After those three, reach for grep to search for patterns and base64 -d to decode encoded blobs.
Common challenge types
picoCTF General Skills challenges tend to fall into a handful of patterns. You will be asked to read a file buried in an unusual directory path, decode a base64 or hex string, connect to a remote server with nc (netcat) or SSH and run a command there, pipe the output of one program into another, or make a downloaded script executable with chmod +x before running it.
SSH challenges are a recurring format. The challenge gives you a hostname, port, username, and sometimes a key file, then asks you to connect and find the flag on the remote machine. These challenges are designed to teach you a skill you will use constantly in real security work.
The essential command set
file unknown_filestrings unknown_file | grep picoCTFcat file.txtxxd file.bin | head -20base64 -d encoded.txtecho 'SGVsbG8=' | base64 -dgrep -r 'picoCTF' .chmod +x script.sh && ./script.shssh -p 12345 user@challenge.picoctf.orgnc challenge.picoctf.org 12345
Start with the easy ones and read everything
picoCTF sorts challenges by point value, which roughly tracks difficulty. Start at 50--100 points. Read every word of the challenge description -- flags are often hiding in plain sight inside the description text itself, especially at the lowest point values.
Three challenges that are excellent starting points: Commitment Issues, Blame Game, and Collaborative Development. All three teach git forensics -- reading commit history, inspecting diffs, and checking out branches -- skills that appear across General Skills and Forensics challenges year after year.
Pipes are your best friend
The pipe operator | passes the output of one command directly into the next. strings file | grep picoCTF is faster than reading thousands of strings manually. Get comfortable chaining commands -- it is one of the highest-leverage skills in CTF.
If you want a deeper foundation before diving in, the Linux CLI guide covers the terminal commands that appear most often across picoCTF challenges. For encoding specifically -- base64, hex, and their relatives -- the encodings guide explains how to recognize and decode each format. The online Base64 Decoder tool is handy when you do not want to drop into the terminal for a quick decode.
Follow the structured path
The General Skills path sequences challenges in order of increasing difficulty and links to the relevant writeups. Working through it top-to-bottom is the fastest way to build a complete foundation.
Cryptography: Break the Cipher
Cryptography challenges ask you to recover a hidden message from a scrambled or transformed version of it. picoCTF Crypto runs the full spectrum -- from classical pen-and-paper ciphers that are hundreds of years old, to encoding schemes like base64 and hex, to modern algorithms like RSA and AES that underpin real-world security.
The most important distinction in Crypto
Before you try to solve anything, figure out which of these three things you are dealing with:
- Encoding -- reversible transformation with no key required. Base64, hex, and URL encoding are not encryption. Anyone can decode them with the right tool. If you see something that looks encrypted but there is no key provided, try decoding it first.
- Encryption -- requires a key to reverse. Caesar cipher, XOR, RSA, and AES all fall here. The challenge is either finding the key or exploiting a weakness in how the scheme was implemented.
- Hashing -- one-way transformation with no reverse. MD5 and SHA-256 are hash functions. You cannot decrypt a hash directly -- you crack it by guessing the input and checking whether it produces the same output.
Getting this wrong wastes a lot of time. Trying to "decrypt" a base64 string with a Caesar cipher tool produces nonsense. Identify the scheme first, then choose the right approach.
Classical cipher approach
When the challenge gives you ciphertext that looks like English words with scrambled letters, you are almost certainly dealing with a classical cipher. Start with ROT-13 -- it is the single most common classical cipher in picoCTF and takes two seconds to try. If that does not work, look for repeating patterns in the ciphertext, which suggest a short key (Vigenere or XOR). For single-character substitution ciphers, frequency analysis works reliably: the most common letter in English is E, followed by T and A. Map the most frequent ciphertext symbol to E and adjust from there.
Modern crypto approach
picoCTF modern crypto challenges are not asking you to break AES or crack RSA by brute force -- that would be computationally impossible. Instead, they introduce deliberate weaknesses: a small RSA public exponent, a reused XOR key, two RSA ciphertexts sharing a modulus, or an IV that is all zeros. Your job is to recognize the weakness and apply the known attack for it. The challenge source code is almost always provided -- read it carefully and look for anything that deviates from how these algorithms are supposed to be used.
Identify before you solve
The single most effective habit in Crypto is spending the first few minutes just identifying the cipher type. Look at the output format (is it all letters? hex? base64?), check whether a key is provided, and read the flavor text for hints. Jumping straight to decryption tools without this step leads to wasted effort.
Commands for the terminal
echo 'SGVsbG8gV29ybGQ=' | base64 -dpython3 -c "print(bytes.fromhex('48656c6c6f'))"openssl rsa -in key.pem -text -nooutpython3 -c "print(''.join(chr(ord(c) ^ 42) for c in 'ciphertext'))"
Base64 disguised as encryption is extremely common
A significant number of beginner Crypto challenges are encoding challenges in disguise. The ciphertext looks intimidating, but running base64 -d or converting from hex reveals the flag immediately -- or reveals another layer of encoding to decode. Always try simple decoding before reaching for complex tools.
Good beginner challenges to start with: interencdec (layered encoding), C3 (custom cipher with provided encoder -- write the decoder), and hashcrack (hash identification and dictionary cracking).
Python is the right tool for custom crypto
When a challenge implements a custom cipher in Python, write your solution in Python too. Copy the encryption function, invert the operations (reverse the loop, XOR with the same key, swap add for subtract), and run it on the ciphertext. This approach handles a wide range of picoCTF crypto challenges without needing specialized libraries.
For deeper reading on specific attack types, the RSA attacks guide covers the most common RSA weaknesses in picoCTF, and the hash cracking guide walks through identifying hash types and cracking them with wordlists. The encodings guide is the reference for the encoding layer that appears in nearly every beginner Crypto challenge. Useful tools: the ROT cipher tool for quick classical cipher attempts, the frequency analysis tool for substitution ciphers, and the RSA calculator for working through RSA math. The Cryptography path sequences challenges from encoding basics up through modern crypto weaknesses.
Forensics: Hunt for Hidden Data
Forensics challenges are all about recovering hidden or buried data from files someone hands you. That file might be an image, a network capture, a memory dump, a corrupted archive, or something that looks completely ordinary but is hiding a secret. Your job is to dig it out. Unlike categories that require you to write exploits, Forensics is mostly about knowing which tools to reach for and in what order.
The category breaks into three main areas. File analysis covers identifying what a file actually is, finding embedded content inside it, and reading its metadata. Steganography covers data hidden inside images or audio -- invisible to the naked eye but extractable with the right tool. Network forensics covers PCAP files: packet captures that record real network traffic, which you analyze to reconstruct what happened.
The universal forensics methodology
Every time you get an unknown file, run through this checklist before trying anything clever. Most beginner challenges will fall at step one or two.
file unknown_filestrings -n 8 unknown_fileexiftool image.jpgbinwalk -e firmware.binsteghide extract -sf image.jpg
Step 1 -- file:Reads the file's magic bytes (the first few bytes that identify its true type) and tells you what you are actually dealing with. Never trust the file extension. A PNG renamed to .txt is still a PNG, and file will tell you so.
Step 2 -- strings: Dumps every readable ASCII sequence of length 8 or longer. Flags, URLs, usernames, and hints often survive embedded in binary files. The -n 8 flag filters out noise from short random matches.
Step 3 -- exiftool: Reads all metadata embedded in the file -- camera model, GPS coordinates, author, creation date, comments. Challenge authors love hiding flags in EXIF fields because most people never think to look there. CanYouSee is a perfect example of a flag buried in image metadata.
Step 4 -- binwalk: Scans a file for embedded file signatures and extracts them. The -e flag tells it to actually extract what it finds. This catches ZIP files hidden inside images, firmware images with embedded filesystems, and files-within-files of all kinds. Secret of the Polyglot is a great introduction to files that are simultaneously two different formats.
Step 5 -- steganography tools: If the file is an image and none of the above turned anything up, it may have data hidden with steganography. steghide hides and extracts data from JPEG and BMP images (it will prompt for a password -- try an empty one first). zsteg works on PNG and BMP files and checks many LSB encoding schemes automatically. Check the steganography tools guide for a full breakdown of which tool to use when.
Network forensics with Wireshark
When you get a .pcap file, open it in Wireshark. The immediate view is overwhelming -- thousands of packets. Start by filtering: type http in the filter bar to see only HTTP traffic, or tcp.stream eq 0to isolate the first TCP conversation. Right-click any packet and choose "Follow > TCP Stream" to reconstruct a full back-and-forth conversation as readable text. Flags very often appear in HTTP request paths, response bodies, or custom headers. The Wireshark guide walks through the most common patterns. For hex-level file inspection, the Hex Viewer tool lets you examine raw bytes in the browser. For a deeper look at reading raw binary data, see the hex dumps guide.
Always run the checklist before guessing
It is tempting to jump straight to steghide or a fancy tool. Resist that. Running file, strings, and exiftool takes under 10 seconds and catches the majority of beginner Forensics challenges. Only escalate to heavier tools after the basics come up empty.
QR codes count as forensics too
Some challenges hand you an image that turns out to be a QR code. Scan Surprise is a good early example. If file says it is a PNG and the image looks like a grid of squares, scan it.
Try empty passwords first
When steghide or a zip file asks for a password, always try pressing Enter with no input first. A large number of beginner challenges have no password at all, and skipping this step will have you running wordlist attacks on a file that was never locked.
Follow the structured Forensics path to work through challenges in order of difficulty.
Web Exploitation: Attack the Browser
Web Exploitation challenges give you a URL and ask you to break the web application sitting behind it. That might mean stealing data, bypassing authentication, reading files on the server, or escalating your privileges. The vulnerabilities are real -- the same classes of bugs that show up in actual security research -- just presented in a controlled environment designed for learning.
The mindset shift is the most important thing to internalize early. Stop thinking like a user and start thinking like an attacker. Every input field is an opportunity to inject something unexpected. Every URL parameter is a value the server trusts -- maybe too much. Every cookie is a claim the server believes -- unless you tamper with it. Your default assumption should be: "what happens if I send something the developer did not expect here?"
Essential browser skills
Before installing any tools, learn the two built-in ones. View Page Source (Ctrl+U) shows you the raw HTML the server sent -- including comments, hidden fields, and JavaScript files linked at the bottom. Developers frequently leave debug comments, staging URLs, or even flags sitting in HTML comments. Browser DevTools (F12) goes further: the Network tab shows every request the page makes and every response it gets. The Application tab shows cookies, local storage, and session storage. Bookmarklet and Unminify are both solvable with nothing more than these browser-native tools.
The four most common vulnerability types
1. Hidden content: Look in the HTML source for comments, check linked JavaScript files for hardcoded values, and inspect hidden form fields (type="hidden"). Flags sometimes appear verbatim in the source.
2. Cookie and session manipulation:Open DevTools, go to Application > Cookies, and look at what the site is storing. If a cookie value looks like admin=false, try changing it to admin=true. If it looks like a long encoded string, it might be a JWT. Our cookie and JWT guide covers the common attacks, and the JWT Decoder tool lets you inspect and modify JWTs directly in the browser.
3. SQL injection: When a site has a login form, try putting SQL syntax into the username field. If the backend constructs a query by concatenating your input directly, you can break out of the intended logic:
' OR '1'='1' OR 1=1--admin'--
These make the SQL WHERE clause always evaluate to true, logging you in without a valid password. See the full SQL injection guide for more techniques including data extraction.
4. Server-side issues: Path traversal means manipulating a file path parameter to read files outside the intended directory -- for example, changing ?file=report.txt to ?file=../../../../etc/passwd. Template injection means inserting template syntax into an input field that the server renders, causing it to execute code.
Burp Suite: the core web CTF tool
Burp Suite sits between your browser and the server, intercepting every HTTP request before it goes out. This lets you read and modify requests that the browser would normally send automatically -- changing cookie values, tweaking hidden form fields, replaying requests with different parameters. The Community Edition is free and handles everything you need for picoCTF. IntroToBurp is designed specifically to teach you the basics.
Methodology
When you open a new web challenge, run through this in order: view source and grep for flags or suspicious comments; check all cookies and local storage in DevTools; try SQL injection on any login form; look at all outgoing requests in the Network tab; then set up Burp and start modifying requests if nothing obvious appeared.
Read the JavaScript, not just the HTML
Beginners often stop at the HTML source. The linked JavaScript files frequently contain API endpoints, hardcoded credentials, client-side validation logic that can be bypassed, and occasionally flags. In DevTools, go to Sources and look through every .js file loaded by the page.
Client-side validation is not real security
If a form refuses to let you submit certain input, that restriction only exists in the browser. Use Burp or DevTools to send the request directly with whatever value you want. The server may have no such validation at all.
robots.txt and common paths are worth checking
Always try /robots.txt, /admin, /backup, and /.git on any challenge web server. Challenge authors sometimes forget that a disallowed path in robots.txt is essentially an advertisement that something interesting is there.
Work through challenges in order with the structured Web Exploitation path.
Reverse Engineering: Read the Machine
Reverse engineering challenges ask you to analyze a compiled program -- without any source code -- and figure out what it does. Usually that means finding a secret string, reconstructing a transformation, or understanding a custom algorithm. The goal is almost always to recover a flag that the program is hiding.
The category name sounds intimidating, and a lot of newcomers skip it entirely. That is a mistake. picoCTF reverse engineering challenges are designed to be approachable, and many of the beginner ones can be solved without reading a single assembly instruction. You do not need to understand every line of machine code. You need to understand enough to find the flag.
Think of RE as three levels of depth. At the surface level, tools like strings and ltrace let you extract readable text and watch library calls without touching any disassembly at all. In the middle, a decompiler like Ghidra converts binary code back into readable C-like pseudocode. At the deep end, you read raw assembly -- but you rarely need to go there in picoCTF.
The RE methodology
- Run
fileto identify what you are dealing with -- ELF executable, Windows PE, Python bytecode, or something else entirely. - Run
stringsand grep for "pico". A surprising number of beginner challenges hide the flag in plain text inside the binary. - Run
ltraceto trace library calls. If the program callsstrcmpto compare your input against a hardcoded string, ltrace will print both sides of the comparison right in your terminal. - Run
straceto trace system calls. Useful when a program is reading files or making network connections you did not expect. - If none of the above gives you the flag, load the binary into Ghidra for full decompilation.
file programstrings program | grep -i picoltrace ./programstrace ./programchmod +x program && ./program
Ghidra is a free, open-source reverse engineering tool from the NSA. It can turn a compiled binary back into C-like pseudocode that is much easier to read than raw assembly. The key skills to develop are: loading a binary and letting auto-analysis run, finding the main() function in the symbol tree, and reading the decompiled output in the right panel. You do not need to understand every detail -- focus on string comparisons, return values, and conditional branches.
In picoCTF, the most common RE patterns are: a program that compares your input to a hardcoded string (ltrace catches this instantly), a program that applies a simple XOR or ROT transformation to the flag before comparing it (reverse the math), and a program that checks mathematical conditions on your input (solve the equations).
Good starting points are Flag Hunters and Classic Crackme 0x100. Both are well-structured beginner challenges that teach the core pattern without overwhelming you.
Start with strings before touching Ghidra
Run strings program | grep -i pico first, every single time. You will be surprised how often a beginner challenge just has the flag sitting there in plaintext. Save Ghidra for when the easy approaches fail.
ltrace is your best friend for crackmes
When a program asks for a password, run it under ltrace first. If it calls strcmp(your_input, secret_password), ltrace prints both arguments. You get the answer without reading any assembly.
You do not need to understand everything
Ghidra's decompiled output can look messy. That is fine. You are not trying to understand the whole program -- you are hunting for one thing. Look for where the flag string gets constructed or compared. Ignore the rest until it becomes relevant.
When you are ready to go deeper, read the Ghidra guide for a full walkthrough of the tool, and the GDB guide for dynamic analysis. The Hex Viewer and ASCII Table tools are useful when you are staring at raw bytes. Follow the Reverse Engineering path for a structured progression through the category.
Binary Exploitation: Take Control
Binary exploitation -- often called "pwn" in CTF circles -- is about finding memory corruption vulnerabilities in compiled programs and using them to hijack what the program does. Instead of just reading the flag out of the binary, you force the program to give it to you by breaking how it manages memory.
This is the hardest category in picoCTF, and that reputation is earned. To do pwn well, you need to be comfortable with reverse engineering, understand C and how it manages memory, know the Linux memory model, and be able to write exploit code in Python. If you are brand new to CTFs, do not start here. Build your foundation in General Skills and Reverse Engineering first, and get comfortable with basic C programming before attempting binary exploitation challenges.
The Linux memory model
Every running program has several regions of memory. The stack holds local variables and return addresses and grows downward. The heap holds dynamically allocated memory created with malloc and grows upward. The text segment holds the actual program code. The GOT and PLT are tables that handle linking to shared libraries at runtime. Most buffer overflow exploits target the stack; most heap challenges target the heap metadata or allocator behavior.
Three entry-level vulnerability types
- Stack buffer overflow -- A program copies user input into a fixed-size buffer without checking the length. If you write past the end of the buffer, you overwrite the return address that tells the program where to go when the current function finishes. Control that return address and you control execution.
- Format string vulnerability -- A program calls
printf(user_input)instead ofprintf("%s", user_input). Format specifiers like%xand%nin user input let you read from and write to arbitrary memory locations. These challenges often let you leak the flag directly from memory. - Heap overflow -- Writing past the end of a heap-allocated buffer can corrupt the metadata that the allocator uses to track free chunks. Beginner heap challenges in picoCTF usually have a
win()function you just need to redirect execution to.
Essential tools
Your toolkit for pwn has three pieces. checksec reads a binary and tells you which protections are enabled -- stack canaries, ASLR, PIE, NX -- so you know what you are working against. pwntools is a Python library built specifically for writing exploits: it handles sending payloads, receiving output, packing addresses, and connecting to remote services. GDB with either the PEDA or PWNDBG plugin gives you a debugger that shows register values, stack layout, and memory in a useful format for exploit development.
The standard pwn workflow
checksec --file=./binarypython3 -c "print('A'*100)" | ./binarycyclic 100 # pwntools pattern for finding offsetgdb ./binary
First run checksecto understand the binary's protections. Then identify the vulnerability type. Next, find the exact offset from the start of your input to the return address using a cyclic pattern. Finally, write a Python script using pwntools that sends the right payload to trigger the vulnerability.
Good starting challenges are format string 0, heap 0, and PIE TIME. These are intentionally designed to teach the core concepts without layering on too many protections at once, making them ideal first pwn challenges.
Set up PWNDBG or PEDA before you start
Vanilla GDB is painful for exploit development. Install PWNDBG (or PEDA) first -- they add automatic context display showing registers, stack, code, and backtrace every time execution pauses. It turns GDB from confusing into genuinely useful.
Always run checksec first
Before reading a single line of disassembly, run checksec --file=./binary. If there is no stack canary and no PIE, a basic overflow is likely the path. If everything is enabled, you are dealing with a more advanced challenge. Let the protections tell you what techniques are relevant.
Exploit locally before connecting remotely
Get your exploit working against the local binary first. Once it works locally, switch to pwntools' remote() function to connect to the challenge server. Debugging against a live remote connection is much harder than debugging locally where you can attach GDB.
For deeper reading, the buffer overflow guide covers stack exploitation from the ground up. The format string guide walks through reading and writing memory with format specifiers. When you start hitting binaries with ASLR and PIE enabled, the ASLR/PIE bypass guide explains the techniques. Work through the Binary Exploitation path for a structured progression through the category.
Tips & Common Mistakes
These patterns show up constantly among players who are new to picoCTF. Knowing them before your first session saves a lot of frustration.
Read the challenge description completely before touching the files
Flags are hidden in challenge descriptions more often than you would expect, especially at lower point values. The flavor text always contains hints. Read it twice before starting.
Check the flag format before submitting
picoCTF flags follow the format picoCTF{...}. If you found something that looks like a flag, make sure it has the right brackets, the right prefix, and no extra whitespace. Incorrect format is a common reason a correct answer gets rejected.
Use the hints -- they are not free forever, but they do not hurt your score
Hints cost hint tokens in some competition formats, but during practice in the picoGym they are free. Always check the hints before spending an hour stuck. They often narrow the problem from a wide search space to a specific tool or technique.
Do not skip General Skills
Many beginners skip General Skills because the challenges seem too simple. That is a mistake. The commands and habits you build in General Skills -- file inspection, pipes, SSH, encoding -- are used in every other category. Skipping it creates gaps that slow you down later.
Time-box your attempts
If you have been stuck on the same challenge for more than 45 minutes, move to another challenge in the same category or switch categories entirely. Come back with fresh eyes. A completely different perspective often unlocks what you were missing.
Use writeups strategically -- understand the why, not just the how
Writeups are tools for learning, not shortcuts for points. When you read one, make sure you understand the underlying vulnerability or concept before moving on. A writeup that you copied without understanding does not help you on the next challenge. Every challenge on this site has a detailed writeup -- use them to learn, not just to finish.
Always try strings first, every time
No matter what category the challenge is in -- if there is a binary or file to analyze -- run strings and file on it before anything else. This takes five seconds and solves a meaningful percentage of beginner challenges outright. It is the single highest-leverage habit you can build.
Working with a team is significantly more effective
CTF is designed for teams. Different people are strong in different categories. If you have access to teammates -- even one other person -- divide the challenge categories by interest and compare notes. The picoCTF Discord is also an active community for questions and collaboration.
Next Steps
You now have a complete picture of what picoCTF involves, the right order to approach it, and the tools and methodology for each category. Here is how to turn that into actual progress:
Start with the picoGym. Every past picoCTF challenge from 2019 through 2026 is available year-round at picoctf.org. Work through General Skills first, then Cryptography. Build the foundation before expanding into the other categories.
Use the learning paths. Each category has a curated path on this site that sequences challenges from easiest to hardest with links to writeups:
Explore past competitions.Each year's challenges are grouped on the events page. Working through a full competition year -- starting from the easiest challenges and working up -- is one of the most effective ways to improve across all six categories at once.
Read the guides. When you hit a new technique, there is almost certainly a detailed tutorial on this site covering it. The posts section covers everything from SQL injection to Ghidra to format string exploitation, with examples drawn from real picoCTF challenges.
Use the tools. The tools section provides browser-based utilities for the most common CTF operations -- base64 decoding, cipher tools, hash identification, RSA math, and more -- so you can work quickly without dropping into the terminal for every small conversion.
Good luck, and enjoy the challenges.