Post

picoCTF 2026

Posted Updated
Preview Image
By Mark Uchechukwu
9 min read
picoCTF 2026

picoCTF 2026

Overview

I participated in picoCTF as the captain of team struct msg_msg ending up as the overall winner in Africa.

leaderboard

How it all started?

Background

I started studying cybersecurity around February 2022 because of an incident that made me want to “pwn” the infrastructure. I never actually went through with it, though (don’t be unethical 🤫).

As I kept learning, I became genuinely passionate about cybersecurity. Over time, I moved away from the reason that got me started and began doing it simply because I enjoyed it. What started as curiosity eventually turned into a hobby, a skill, and something I truly love doing.

After about six months of consistent study, I wanted to actually test what I had been learning and see what I could do with it in practice. That was when I came across CTFs.

What exactly is CTF?

Capture The Flag

It’s a cybersecurity competition where participants solve security challenges to find hidden “flags” which gives them points and the higher your points, the higher you climb up the leaderboard

It really sounded like fun and as that time I was addicted to solving vulnerable machines (aka boot2root).

Using platforms like TryHackMe (king of the hill), HackTheBox, PwnTillDawn, I climbed the leaderboard and got to top 1 in Nigeria (although it did take some time to achieve on some of this platforms..)

instruction set
The current TryHackMe leaderboard for KOTH (even after 4 years I'm still at the top - the number of games won shows I was really addicted to it haha)
instruction set
PwnTillDawn (really cool platform! - as of now, I'm left with just 3 machines left to pwn)
instruction set
HackTheBox

At that time, most of the solves were done at my pace (days, weeks, months…) and I wanted to see what I could do in a competitive environment.

I came across the Cyber Security Challenge Nigeria (CYSEC NG) CTF, but it was only open to university students at the time, and I was still in high school, so I couldn’t participate.

Luckily, another CTF came up: the American Business Council (ABC) CTF.

I managed to join with a friend of mine, mycr0ft, we were in the same school, same class, and he was one of my closest friends as we studied cybersec together.

For a first CTF ever, we actually didn’t do badly at all. We finished 7th on the leaderboard 😆

I still remember the adrenaline from solving the web challenges (file upload bypass via malicious .htaccess upload - pretty easy ikr but as of then it took quite a bit of research, razor SSTI - i didn’t eventually solve this, didn’t know how to get a reverse shell..wasn’t aware of the existence of VPS lmao, using hexeditor to fix a corrupted file and many more challenges)

instruction set
This was the first thing I said on joining the discord server, I feel cringed now knowing no one replied me 🤣 (I'm 0x1337 btw)

From there, I realized there were a lot of really strong players out there, and I was honestly shocked that people like that existed in Nigeria.

That moment changed things for me. I started putting in more effort, not just to learn, but to get to a level where I could actually compete at the top of leaderboards. It felt like a real achievement worth chasing.

I also began talking to some of the stronger players, learning from them, and occasionally teaming up with them for CTFs and we ended up winning quite a few together.

Where does picoCTF come in play?

At that time, I was mostly focused on Web/Boot2Root/Misc challenges. Then sabR CTF 2023 happened, it was a CTF aimed at hunting talents across Africa hosted by acez.

sabr

I actually ended up taking 1st place, which was surprising. That was also the moment I got properly introduced to categories like Pwn and Reverse Engineering, since the CTF was heavily focused on binary analysis and exploitation to select participants for OffensiveCon in Berlin, Germany (though I couldn’t attend due to visa issues).

I still remember stumbling into a simple format string attack for a GOT overwrite with basically no prior pwn knowledge. It took me about two days to figure out, but I eventually got it working and that with some other pwn challenges I solved was enough to push me into 1st place.

There were still quite a few challenges I didn’t solve during the competition, but I went back later and upsolved them. Some of them turned out to be really interesting problems.

After that, I got recruited by some friends to participate in picoCTF. We played as team 8h037, and we placed 1st.

instruction set
Team profile
instruction set
My profile (somehow 1337 always ends up in my username lol)

I actually ended up solving all the Pwn challenges, along with a few others.

However, we didn’t qualify for prizes because of eligibility rules. I wasn’t a university student at the time. Even though I was still a high school student and would normally qualify, being on a team made up of university students meant we didn’t meet the requirements.

It was a bit disappointing not to receive any prize. Still, the experience itself…the sleepless nights, the two weeks of intense solving, and the momentum we built was honestly rewarding in its own way.

In 2024, I participated in picoCTF again, this time as part of team Fuji_, and we placed 2nd.

instruction set
Team profile

Unfortunately, we still didn’t qualify for prizes, even though I was officially a student by then.

Two strong finishes in a row, but no prize both times.. it was a bit disheartening.

Here finally comes my first picoCTF win in 2025.

instruction set
Team profile
instruction set
My profile (finally i used the name h4cky0u)

As you can see, I played with team M3V7R, which was mainly a Beninese team of four, and I was the only Nigerian. Honestly, I was genuinely impressed by how strong they were.

I mostly handled the Pwn/RE challenges, while they cleared the rest at a much faster pace.

I also documented the challenges I solved in a write-up, which you can find here

In the end, we placed 1st, and this time we actually qualified for prizes. I received a Hack The Box voucher, which I later used to earn my CPTS certification.

logo cpts

2026 came, and by then the guys at M3V7R had already finished school, so I had to find new teammates.

I knew someone at my current school, Federal University of Technology Minna, and I figured we could actually build a solid team together.

From there, I decided to form a new squad: h4cky0u, mycr0ft, bangiskhan, and cyb3rl1ly.

Our goal was simple, we wanted to win.

This was my first team managing a team so it was quite a difficult task.

To make that happen, I made sure we started preparing about a month in advance.

me

There were ups and downs, but overall, everything went fine.

D-Day

The event ran from March 9, 2026 (4:00 PM) to March 19, 2026 (7:00 PM).

By 4:00 PM, we were all set and ready to go.

Once it started, the challenges were pretty easy. However, with how fast things were moving especially with AI slops it became harder to stay at the top since teams were solving at a rapid pace.

I started with the Pwn challenges first. Most of them were straightforward, except the last one, Pizza Router. It wasn’t necessarily hard, but it took some time to figure out.

pwn

As usual, I had my “ranting moments” while solving it haha:

rant1 rant2 rant3

The reverse engineering challenges were pretty easy aside JITFP, I don’t even want to talk about it, very annoying challenge lol, I stayed up all night for it knowing I had school lecturs by 9am, although it was eventually solved.

rant5 rant6 rant4

After all the other challenges were completed, we were left with the final web challenge called paper-2.

At that point, we were sitting around 30th place on the African leaderboard, so everything depended on solving this last challenge.

Before I started working on it, my teammates had already attempted it but hadn’t made much progress.

Fun fact, it was labelled “that crazy hard web” as a thread, I only joined the challenge about two days after the CTF began because I was busy with school work.

hehe

The challenge had a very strict CSP (Content Security Policy) in place:

csp

After about 10 hours later working on it I got this idea:

idea idea2 idea3 idea4

Unfortunately, I didn’t manage to get it working that day, and I eventually moved on to look for other approaches.

The next day I skipped school lecture (although they eventually cancelled it - lucky me 😄)

go

I decided to go with the redis theory (after my team mate told me to go on with it)

instruction set
Took monster energy drink

Started off easy with using CSS injection to confirm leaking the secret (just a nibble)

css

Then things started getting painful.

pain1 pain2 pain3

Honestly, I don’t even fully remember all the details of this part anymore, it was messy and the idea didn’t work 😭

Eventually, it became clear that CSS injection alone wasn’t enough, we had to search for other formats that’s usable.

pain4 pain5

With some research on using the XSLT format + AI to optimize, we had a working solution

pain6

In the end, we achieved first blood in Africa, pushing us back to 1st place on the leaderboard.

solved

It was a genuinely tough challenge and took a lot of time and effort to crack.

By the end, I had solved this number of challenges:

preview2

The End

They held the closing ceremony, and we were announced as the overall winners in Africa.

winners

I’m the first person ^_^

We were also awarded a certificate of achievement.

award

Looking back, picoCTF played a major role in shaping my foundation in cybersecurity. It helped build my skills, discipline, and confidence in competitive environments, and I’m genuinely grateful for the journey it gave me.

struct msg_msg is a Linux kernel data structure used by System V IPC (Inter-Process Communication) message queues. It is involved in operations such as msgget, msgsnd, and msgrcv, where it represents and manages messages stored in kernel space.

CTF
blog events
This post is licensed under CC BY 4.0 by the author.