Adam Doupé

Associate Professor, Arizona State University
Director, Center for Cybersecurity and Trusted Foundations

picoCTF Preparations

| Comments

Getting Started

picoCTF is an awesome hacking competition aimed at High School students. The great guys at CMU and PPP are putting on this innovative competition. I had some High School students ask for pointers to prepare for the picoCTF. I invited them to our weekly hacking group and talked about the hacking mindset and basic tools. They amazed me with their knowledge—I was cutting my teeth on TI-83 BASIC programming in math class when I was their age.

What follows are my notes on the lecture I gave and the discussion that we had. I hope other young hackers find these resources useful while preparing for picoCTF.

Hacker Mindset

First and foremost, we need to understand how the hacker thinks. How should you think when you’re trying to break a program?

What is hacking?

To me, hacking is using something in a different way than the designer intended. For programs, this means bending the program to your will and making it do something that the original developer didn’t intend. Note that you can hack other things than programs, but we’ll keep our focus on computer systems.

How is competition hacking different?

  • Someone created this program with the specific purpose of you hacking and breaking it.

  • Ask yourself – what’s my goal here?

  • Get a flag, understand how a program works, find a hidden file, find hidden information, crack a code.

  • What are the program’s assumptions?

Problem Solving

For me, problem solving is the most important skill for a hacker. For a programmer as well.

Before you can solve a problem, you must first understand: What is the problem? Seems simple, but it’s an important point.

Problem solving takes similar skills to debugging—something is happening that I do not expect.

Think like a scientist

You have assumptions. What are those assumptions?

Run through each one of your assumptions. Where did you get this assumption? Is this assumption still valid?

What is going on? What exactly is the problem? Does it invalidate one of your assumptions?

What is your current hypothesis?

What is the easiest way to test your hypothesis? This is the thing I see hackers fail the most. Oh, you think the database is MySQL and you’re trying to create an SQL injection exploit? Should you take an hour to finely craft a MySQL-specific SQL injection exploit? Or should you take five minutes and test that MySQL-specific comments work in your SQL-injection?

Basic Tools

  • Your brain

Gotta bring your brain if you wanna compete. Sometimes you need to step away from a problem to give your brain time to chew on the problem.

I don’t care what editor you use, but choose something and learn it. That time pays dividends in the future, so do it now.

  • Touch typing

Sounds silly, but when I was in college I thought I could type correctly. I used a modified hunt-and-peck developed from furious AIM conversations in 7th and 8th grade. However, I made lots of mistakes and wasn’t as fast as I could be (and am now).

When I got a job developing software professionally for Microsoft I took the time and practiced correctly touch typing for an hour a day. I’m now much faster, I type correctly, and I don’t have any wrist issues. Plus, I’m not embarrassed when other people watch me type.

It’s really important, not just for hackers, but for developers as a whole to be able to read other people’s code. Also useful is to use a debugger while reading the code so you can validate your assumptions about how the code works and what the code is doing.


These next four tools are what I run on every binary I get for every single hacking competition.

  • file

  • strings

  • strace

  • ltrace


The following network tools are indispensable.

  • netcat/nc/socat

  • tcpdump/wireshark/tshark/


Can you understand the (silly) reference we’re making?

  • Google-fu

  • Famous hacking instances

  • Internet Memes


Can you find the hidden flag?


Can you break the code and get the flag?

Web Exploitation

Can you compromise a web application? Lot’s of types, two biggest that you absolutely must be familiar with are XSS and SQL Injection.

Specifically here I’m talking about knowing how to use the JavaScript console and JavaScript debugging capabilities of Chrome or Firefox.

Reverse Engineering

How does this program work? Usually here you need to understand the program then once you understand the problem you can get the flag.

  • objdump

  • readelf

Binary Exploitation

Can you crash it? Can you force the program to give you the flag?

That’s it, please feel free to add your own recommendations.