Discover the mechanisms, protocols and technologies used on the Internet and learn to abuse it!
These challenges are designed to train users on HTML, HTTP and other server side mechanisms. The following series of challenges will cultivate a better understanding of techniques such as : Basic workings of multiple authentication mechanisms, handling form data, inner workings of web applications, etc. ...
Understand the HTTP protocol.
Ability to manipulate a web browser.
Remote File Inclusion
CGI (perl, python, bash)
|Results||Challenge's Name||Validations||Number of points||Difficulty||Author||Note||Solution|
|HTML||2818||5 Points||Very easy||g0uZ||0|
|Weak password||2110||10 Points||Very easy||g0uZ||0|
|User-agent||1252||10 Points||Very easy||g0uZ||0|
|Backup file||607||15 Points||Easy||g0uZ||0|
|HTTP directory indexing||1352||15 Points||Easy||g0uZ||0|
|HTTP GET||655||15 Points||Easy||g0uZ||0|
|HTTP verb tampering||787||15 Points||Easy||int_0x80||0|
|Install files||870||15 Points||Easy||g0uZ||0|
|File upload - double extensions||550||20 Points||Medium||g0uZ||0|
|File upload - MIME type||473||20 Points||Medium||g0uZ||1|
|HTTP cookies||1237||20 Points||Medium||g0uZ||0|
|Directory traversal||900||25 Points||Medium||g0uZ||0|
|File upload - null byte||423||25 Points||Medium||g0uZ||1|
|PHP filters||512||25 Points||Medium||g0uZ||1|
|PHP register globals||334||25 Points||Medium||g0uZ||1|
|Local File Inclusion||669||30 Points||Medium||g0uZ||1|
|SQL injection - authentication||996||30 Points||Medium||g0uZ||1|
|SQL injection - string||402||30 Points||Medium||g0uZ||0|
|LDAP injection - authentication||180||35 Points||Medium||g0uZ||0|
|SQL injection - numeric||383||35 Points||Medium||g0uZ||1|
|XPath injection - authentication||276||35 Points||Medium||g0uZ||2|
|XPath injection - string||106||40 Points||Medium||g0uZ||0|
|SQL injection - blind||365||50 Points||Hard||g0uZ||2|
|LDAP injection : blind||61||55 Points||Hard||g0uZ||0|
|XPath injection - blind||109||55 Points||Hard||g0uZ||1|
|sm0x||SQL injection - en aveugle||13 December 2013 at 02:06|
|anass Fellaq||HTML||13 December 2013 at 01:32|
|badhacker||HTTP directory indexing||12 December 2013 at 23:59|
|sniper399||File upload - null byte||12 December 2013 at 23:51|
|i-Hmx||LDAP injection - authentication||12 December 2013 at 23:51|
|badhacker||XPath injection - authentication||12 December 2013 at 23:51|
|ReZk2ll||HTTP cookies||12 December 2013 at 23:36|
|l12345v||Weak password||12 December 2013 at 22:47|
|l12345v||HTML||12 December 2013 at 22:46|
|dvor4x||SQL injection - string||12 December 2013 at 22:10|
You can simply share the link to see your score in your profile
please add feature to share my score on social networks (fb,tw etc)
stor: it works for me. You have to be also connected with the same IP to the site to get access.
hardened binary ssh server (challenge03.root-me.org:2224) is down?
the CTF were down yes
That me or the CTF are down ?
The discussion goes on on the forum
i dont get it. i am using nslookup. but i cant to a zone transfer because of the security settings
find a tool to speak to a dns server
can someobe give me a hint fo network dns zone transfer challenge? i can connect to the dns server but ls -d ch11.... doesnt seem to work.
The App-Script Shell4 challenge has been changed. Those who already did it can do it again.
English forums for challenge are now open, and yes, challenge list are yet in same order as in french part.
Yeah, it looks like C&C-1 is a bit trickier than that. A good starting point are the related ressources.
You are welcome to post your challenge related questions on the forum so it can help out other people too.
Seriously don’t understand C&C level 1. I have literally tried every accepted foreign IP address that just talks to one computer on the network. Only problem is there are like none
The App-Script Shell5 challenge is down until tomorrow morning.
Hi.Im trying to root LAMP ctf6 and Im stuck here.Im in the machine but as an apache user..So I uploaded a local exploit, 8478.sh and run ./8478.sh 379 but the generated SUID file isnt owned by root,still apache..Where Im I going wrong?
section EN, main page, solutions: no challenge name!
The Root-Me.org team whishes a Merry Christmas to everyone !
New crypto challenge "Padding Oracle" released !
Go ! go !
test reload auto & close auto post edition
test chatbox en