PicoCTF is an annual hacking contest held by Columbia University, providing a host of challenges in a variety of categories with varying difficulty.
This article serves as a guide to solving some of the challenges found in the 2025 iteration of the contest, with a specific focus on the Reverse Engineering, Web Exploitation, and Cryptography categories.
Web Exploitation challenges primarily consisted of decoding flags using various decoding techniques, such as Base64 or SHA-1 decoders, with some iterations requiring the use of JavaScript engines to evaluate custom code in order to gain read access to the flag.mp3 file.
Reverse Engineering challenges required the use of generic reversing techniques, such as dealing with packed executables and performing black-box analysis of ELF files, with one challenge requiring the use of a known collision exploit to gain access to a SHA-1 hashed flag.
Lastly, Cryptography challenges focused on the use of specific hashing algorithms to decode various hashes, such as MD5 and SHA-1 used in previous challenges, as well as some requiring the use of custom decoding techniques to gain access to encrypted flags.