Recently
February 2021 #New set of challenges : Node.js
You are certainly familiar with JavaScript, the language we are used to see client side. Well, JavaScript can be used server side!
Thanks to this series of challenges, you will learn to familiarize yourself with Node.
Thanks to Mhd_Root for his work on this series of challenges !
New set of challenges : LaTeX
The LaTeX language is very useful for writing scientific papers with complex mathematical formulas. Although it is very useful, security is not at the heart of the concerns of this language.
In this series of challenges, you will learn how to detect some common vulnerabilities in LaTeX and how to exploit them!
Many thanks to Mhd_Root and Podalirius for their work on this series of challenges !
New support : Discord server
A new communication support on Discord is now available to you.
The Root-Me discord server is publicly accessible through the following invitation: https://discord.gg/wpk8xHr.
Anyone with a Root-Me account can freely join the server and use all the communication channels available to you. It is possible to chat with the Root-Me community, get help with challenges, be in contact with the staff and members of the Root-Me association as well as be kept informed of the latest news and Root-Me projects.
In order to be able to access the server, you must:
– Follow the invitation link with a discord account whose email is verified
– Read and accept the Discord server rules when you arrive
– Have your account verified by the Root-Me#3551 bot by sending it the command by private message:
!verify YourApiKey
You will find your API key in your account settings.
More information on the Discord page.
New set of challenges : Radio Frequencies (RF)
With the Internet of Things, more and more devices are using radio frequencies to communicate. In this series of challenges, you’ll learn to identify and decode the different signals captured and develop your knowledge in radio frequencies!
Many thanks to Podalirius for creating this series of challenges!
New set of challenges: Content Security Policy (CSP)
CSP is a relatively recent technology, allowing to define a security policy that should be applied clientside (web browser). Identify configuration errors and understand the associated bypass techniques with this new series of challenges :
- CSP Bypass - Inline code
- CSP Bypass - JSONP
- CSP Bypass - Dangling markup
- CSP Bypass - Dangling markup 2
Thanks again to CanardMandarin for his work on the subject!
New sponsor : ENSTA
We are proud to welcome the public institution ENSTA Bretagne as the new academic sponsor of Root-Me. The engineering school will use Root-Me PRO environments to train its students in cybersecurity.
Built on a legacy of training on its Brest campus since 1819, ENSTA Bretagne and its history go hand in hand with the history of engineering, industry, the arsenals and new technology in France.
New sponsor : GEOIDE Crypto&Com
We are proud to announce a new sponsorship with GEOIDE Crypto&Com, specialized in cybersecurity products development coupled with hypervision and decision support solutions.
Data theft - password reuse
What happened?
By construction, the Root-me foundation has always trusted all of its members and for that matter the most active ones generally have administration privileges.
A platform administrator that has, in his time, contributed a lot to the project and since then had faded away to pursue his professionnal and family life has fell victim to a password reuse attack : his email password appeared in a leak and sadly it was the same as on the Root-Me platform. This compromised account was used to gain an undue access to the backend from which all of Root-Me is administered.
When did it occur?
Intrusion started on May the 23rd and went on until the following day, May the 24th, 2020.
What is the impact?
Challenge solutions as well as email addresses have been stolen. Password hashes are not impacted. The other stolen data, like public GPG keys or usernames are already public information displayed on profiles.
And now?
To protect our backend and therefore your data, we decided to setup GPG based two factor authentication for accounts with administration privileges.
New set of challenges: Microsoft Windows kernel
A new series of challenges in Windows Kernel is now available! The first challenge is open to everyone, while the others are temporarily exclusive to premium members and will be open to the public on the following dates:
- WinKern x64 - shellcoding: token stealing: public
- WinKern x64 - Stack buffer overflow advanced - ROP: February 24
- WinKern x64 - Use After Free: March 24
A big thank you to Synacktiv, __syscall for their challenges!
Another big thank you to und3ath & Ech0 for their work on the architecture of these exercises.
Root-Me Pro : a version fully dedicated to professionals
With more than 10 years of existence, Root-Me has become the online platform offering the largest number and variety of practical content dedicated to cybersecurity (ethical hacking, devsec, forensic, etc.). Thanks to a community of nearly 300,000 members, the contributions allow Root-Me to offer realistic, documented and adapted content to the technical issues faced by cybersecurity experts. Recently, new categories of exercises have also been introduced: Blockchain Ethereum series, Windows PE series, Windows Kernel series.
Thanks to this expertise, the Root-Me platform is now used by players from all over the world, including many professionals who wish to train their teams, organize cybersecurity events (CTF, Hackaton, etc.) or detect new talents. Faced with these needs and to answer to many requests from schools and companies, we have taken the time to prepare a complete offer that you can now find on the Root Me Pro platform.
For more information, do not hesitate to contact the Root Me Pro teams!