Recently

We are proud to welcome the public institution ENSTA Bretagne as the new academic sponsor of Root-Me. The engineering school will use Root-Me PRO environments to train its students in cybersecurity.

Built on a legacy of training on its Brest campus since 1819, ENSTA Bretagne and its history go hand in hand with the history of engineering, industry, the arsenals and new technology in France.

We are proud to announce a new sponsorship with GEOIDE Crypto&Com, specialized in cybersecurity products development coupled with hypervision and decision support solutions.

What happened?

By construction, the Root-me foundation has always trusted all of its members and for that matter the most active ones generally have administration privileges.
A platform administrator that has, in his time, contributed a lot to the project and since then had faded away to pursue his professionnal and family life has fell victim to a password reuse attack : his email password appeared in a leak and sadly it was the same as on the Root-Me platform. This compromised account was used to gain an undue access to the backend from which all of Root-Me is administered.

When did it occur?

Intrusion started on May the 23rd and went on until the following day, May the 24th, 2020.

What is the impact?

Challenge solutions as well as email addresses have been stolen. Password hashes are not impacted. The other stolen data, like public GPG keys or usernames are already public information displayed on profiles.

And now?

To protect our backend and therefore your data, we decided to setup GPG based two factor authentication for accounts with administration privileges.

A new series of challenges in Windows Kernel is now available! The first challenge is open to everyone, while the others are temporarily exclusive to premium members and will be open to the public on the following dates:

• WinKern x64 - shellcoding: token stealing: public
• WinKern x64 - Stack buffer overflow advanced - ROP: February 24
• WinKern x64 - Use After Free: March 24

A big thank you to Synacktiv, __syscall for their challenges!
Another big thank you to und3ath & Ech0 for their work on the architecture of these exercises.

With more than 10 years of existence, Root-Me has become the online platform offering the largest number and variety of practical content dedicated to cybersecurity (ethical hacking, devsec, forensic, etc.). Thanks to a community of nearly 300,000 members, the contributions allow Root-Me to offer realistic, documented and adapted content to the technical issues faced by cybersecurity experts. Recently, new categories of exercises have also been introduced: Blockchain Ethereum series, Windows PE series, Windows Kernel series.

Thanks to this expertise, the Root-Me platform is now used by players from all over the world, including many professionals who wish to train their teams, organize cybersecurity events (CTF, Hackaton, etc.) or detect new talents. Faced with these needs and to answer to many requests from schools and companies, we have taken the time to prepare a complete offer that you can now find on the Root Me Pro platform.

For more information, do not hesitate to contact the Root Me Pro teams!

Synacktiv is a company specialized in offensive security, founded in 2012 by several experts in the field. We recruit skilled people for our different teams: red teaming, reverse-engineering and development of offensive tooling. Synacktiv has a team of more than 55 security experts and 4 offices in France (Paris, Toulouse, Rennes and Lyon).

Synacktiv has received the CESTI accreditation by ANSSI (French National Agency for Computer Security) and is about to receive the PASSI accreditation.

A new set of challenges on Windows binary exploitation has been published!

The first challenge is public and the remaining 3 are temporarily exclusive to premium members. These will in turn become public at the following dates:

– PE32 - Local stack buffer overflow basic: public
– PE32 - Advanced stack buffer overflow: january 3
– PE32+ Egg Hunter: february 3
– PE32+ Basic ROP: march 3

An API allowing you to interact with Root-Me’s data is now available at api.www.root-me.org. The following enpoints are available:

• /login
• /challenges
• /challenges/id_challenge
• /auteurs
• /auteurs/id_auteur
• /environnements_virtuels
• /environnements_virtuels/id_environnement_virtuel

This is still a work in progress, please be mindful.

A new set of challenges on the subject of Ethereum smart contracts has been published!

The first challenge is public and the remaining 3 are exclusive to premium members. These will in turn become public at the following dates:

• Ethereum - Tutoreum: public
• Ethereum - Takeover: december 22
• Ethereum - NotSoPriv8: january 22
• Ethereum - BadStack : february 22

What has changed?

• portal index has been updated and summarizes the differences between available account types :)
• profile, score and statistics pages have evolved
• your settings page now let you fill in an address and business information. It will help us distribute goodies for foundation members and also offer more formal interships/positions through offers brought by Root-Me Pro
• skill badges are assigned when validating a challenge, creating a particular content or when contributing
• a text field makes it possible to filter the list of challenges
• the overall style evolves:
  • portal icons are now in SVG format
  • lightweight update of CSS styles
  • the new responsive design is now compatible with smaller screens

The backend also got its fair share of updates:

• a Microsoft Windows challenge machine (!): challenge05.root-me.org
• 20 new rooms in the CTF all day
• dozens new virtual environment are available in the CTF All the day

Happy hacking 😉