Frequently Asked Questions

This page will answer to your most frequent questions

What is a "flag" or a "validation password"?

This is the word to find in each challenge. You will be able to prove that you have passed the challenge by entering this password on the challenge page.

My IP address seems to be banned, how can I access the website again?

A firewall makes us safe against Deny of Service attacks, banishing every IP address that :
 initiates more than 25 connections per second
 maintains more than 25 TCP connections simultaneously

This banishment is temporary and lasts only 5 minutes. Don’t try to connect to our services during ban time or it will be extended.

I cannot connect to challenges

In order to access to the challenges’ machines, you must be authenticated to the portal www.root-me.org. Once you are authenticated, your IP address will be allowed by the firewall. You have to use the same IP address for your authentication and for challenges.
Don’t forget that Root-Me’s SSH services dont work on port 22. You must give the right port when you connect.
Use the Services state page to be informed of the state of each service and if your IP address is allowed to access it.

Where are my precious points gone?!

Weekly, and at each flag validation, players’ score are recalculated. So if the amount of points given by a challenge changes, your score will change as well.

Should we send session cookie to access web challenges?

No, it is never necessary to send the web portal cookies (for example spip_session) to have access to the web challenges. Only IP address filtering is performed.

Why do some published solutions not work anymore?

Some older solutions don’t textually work anymore. Challenges and systems hosting them are sometimes updated, and solutions must consequently adapt.
These modifications usually concern App-System challenges, for which some protections are subject to change with time. For example, dash (used by /bin/sh, hence by system(3)) does not keep effective privileges by default anymore (same behavior as bash), which has to be taken into account for some exploits.

I’m a beginner and I’m a bit lost... where should I start?

Some Root-Me sections are quite hard, like the Realistic challenges that need strong knowledge about webapp flaws for example.
It is the number of lost beginners that made us think you need an example of learning path to show you where to go first :