Frequently Asked Questions

This page will answer to your most frequent questions

What is a "flag" or a "validation password"?

This is the word to find in each challenge. You will be able to prove that you have passed the challenge by entering this password on the challenge page.

My IP address seems to be banned, how can I access the website again?

A firewall makes us safe against Deny of Service attacks, banishing every IP address that :
– initiates more than 25 connections per second
– maintains more than 25 TCP connections simultaneously

This banishment is temporary and lasts only 5 minutes. Don’t try to connect to our services during ban time or it will be extended.

I cannot connect to challenges

In order to access to the challenges’ machines, you must be authenticated to the portal www.root-me.org. Once you are authenticated, your IP address will be allowed by the firewall. You have to use the same IP address for your authentication and for challenges.
Don’t forget that Root-Me’s SSH services dont work on port 22. You must give the right port when you connect.
Use the Services state page to be informed of the state of each service and if your IP address is allowed to access it.

Where are my precious points gone?!

Weekly, and at each flag validation, players’ score are recalculated. So if the amount of points given by a challenge changes, your score will change as well.

Should we send session cookie to access web challenges?

No, it is never necessary to send the web portal cookies (for example spip_session) to have access to the web challenges. Only IP address filtering is performed.

Why do some published solutions not work anymore?

Some older solutions don’t textually work anymore. Challenges and systems hosting them are sometimes updated, and solutions must consequently adapt.
These modifications usually concern App-System challenges, for which some protections are subject to change with time. For example, dash (used by /bin/sh, hence by system(3)) does not keep effective privileges by default anymore (same behavior as bash), which has to be taken into account for some exploits.

I’m a beginner and I’m a bit lost... where should I start?

Some Root-Me sections are quite hard, like the Realistic challenges that need strong knowledge about webapp flaws for example.
It is the number of lost beginners that made us think you need an example of learning path to show you where to go first :

•    Network
  

  Investigate captured traffic, network services and perform packet analysis

  related ressource(s)
  – Scapy en pratique
  – Practical packet analysis - Wireshark
  – Réseau
  

• Programming   
  

  Automate tasks and build shellcodes.

  related ressource(s)
  – Learning with Python
  – Learning ruby.tar
  – Apprenez ruby.tar
  

•    Cryptanalysis
  

  Break encryption algorithms

     Steganography
  

  The art of hiding information in a document.

  related ressource(s)
  – Stéganographie
  – Cryptographie
  

• Web - Server   
  

  Discover the mechanisms, protocols and technologies used on the Internet and learn to abuse them!

  Web - Client   
  

  Client-side technologies implemented in the web browser

  related ressource(s)
  – OWASP testing guide v4
  – Sécurité du Code des Applications Web
  – Exploitation - Web
  

•    Forensic
  

  Train digital investigation skills by analyzing memory dumps, log files, network captures...

  related ressource(s)
  – Forensic
  

• App - Script   
  

  Exploit environment weaknesses, configuration mistakes and vulnerability patterns in scripts and systems.

  App - System   
  

  These challenges will help you understand applicative vulnerabilities.

  Cracking   
  

  Reverse binaries and crack executables.

•    Realist
  

  Realistic challenges.

     CTF all the day
  

  Improve your hacking skills in a realistic environment where the goal is to fully compromise, « root » the host !