Frequently Asked Questions

This page will answer to your most frequent questions

What is a "flag" or a "validation password"?

This is the word to find in each challenge. You will be able to prove that you have passed the challenge by entering this password on the challenge page.

My IP address seems to be banned, how can I access the website again?

A firewall makes us safe against Deny of Service attacks, banishing every IP address that :
 initiates more than 25 connections per second
 maintains more than 25 TCP connections simultaneously

This banishment is temporary and lasts only 5 minutes. Don’t try to connect to our services during ban time or it will be extended.

I cannot connect to challenges

In order to access to the challenges’ machines, you must be authenticated to the portal Once you are authenticated, your IP address will be allowed by the firewall. You have to use the same IP address for your authentication and for challenges.
Don’t forget that Root-Me’s SSH services dont work on port 22. You must give the right port when you connect.
Use the Services state page to be informed of the state of each service and if your IP address is allowed to access it.

Where are my precious points gone?!

Weekly, and at each flag validation, players’ score are recalculated. So if the amount of points given by a challenge changes, your score will change as well.

Should we send session cookie to access web challenges?

No, it is never necessary to send the web portal cookies (for example spip_session) to have access to the web challenges. Only IP address filtering is performed.

I’m a beginner and I’m a bit lost... where should I start?

Some Root-Me sections are quite hard, like the Realistic challenges that need strong knowledge about webapp flaws for example.
It is the number of lost beginners that made us think you need an example of learning path to show you where to go first :