Publishing Root Me solutions wouldn’t be very smart, still you can reach out to me if you want to discuss any challenge I validated or tried without success (yet). You can check my profile here.
TL-DR
The key elements I retained to get the most out of a challenge were :
- Take your time, copious notes and screen of both success and failures.
- Think critically, schematize and don’t be afraid to get your hands dirty.
- Read documentation, articles, researches slowly and carefully.
- If you’re stuck after trying everything you could, take a break.
- When the context is relevant, try to mimic the challenge environment to understand what’s under the hood.
My two cents on Root Me
Root Me caught my interest too early during my studies, since I had not grasped any research methodology nor a deep enough understanding of some IT concepts. Thus, the difficulty curve for many interesting challenges was way above my skills which lead me to abandon the platform for a while.
Eventually, I got back to it during my last year of study. Root Me in France is looked up as a great way for interns to show your tryharding profile, because the truth is this platform is intended for tryhards. This might sound controversial, but I’m convinced Root Me is not a great learning platform in itself, although it’s a great platform to learn to do research. If you’re looking for learning material with practicing for Web, websecurity academy is definitely a better approach.
Most of the challenges available (looking at you Web-Client) involves a configuration that would not be realistic in professional environments and solving the challenge isn’t the instructive part. However, digging through documentation and taking notes, staying stuck on it for a long time will engrave the whole thought process and work methodology tied to it.
Solving Root Me challenges and work methodology
CTF events are not my cup of tea and while Root Me challenges are CTFs, I think they should be looked up differently. Most CTF events are limited in time, making the solving a race instead of a marathon. On the other hand, no one is rushing you to complete Root Me challenges other than personal deadlines or trying to get an internship ASAP right ?
Challenges are time consuming
Learning is time consuming and so are challenges. The difference is that you don’t know precisely how far from the finish line you are. Giving your mind the time to process your reflection is crucial to a deep understanding of any complex topic. This concept called Incubation in psychology is very important in the process of problem solving.
As a result, I think taking time off a challenge when you’re stuck (not just stopping at the first minor difficulty) is beneficial to get back at it later. While you’re not focusing on it, you might even surprise yourself thinking about it with a new approach out of the blue.
While trying to solve a challenge, practicing blindly is often a waste of time. Slowing down to speed up is counter intuitive yet crucial to retain information in the long run.
Learning to appreciate documentation
Note that appreciate was used, not love. Depending on challenges author, the provided documentation ranges from none to containing a major part of the solution. The real difficulty is when the latter is valid but the content is 30pages+ long. This is the moment where filtering comes in clutch. Learning to search for documentation, taking the time to read thoroughly while sorting out of scope content is a skill that gets honed only with practice and conscious thinking. Don’t be afraid to look up for documentation because it is where the most technical and precise information are (Except for microsoft azure and every microsoft products).
Replicating challenge with home lab
Remind when I said challenges were time consuming ? Well guess what : it just got longer. This practice should be used wisely, not every challenge will benefit the same from deploying a local environment. The first examples coming to mind are :
- If you need to retrieve a flag online and you have the binary source code, triggering the exploit locally makes sense.
- You want to understand precisely what is happening server-side. Installing Proxmox or ESXi is easy and deploying environments gave me more knowledge than simply trying blindly. This also was key to precisely understanding how everything is working instead of just theorizing.
On the importance of writing up
If you committed to spend this much time in challenges, might aswell make it worth it till the end.
I’m convinced structured note taking should be mandatory when working in IT in general, and especially in cybersecurity. With so much subjects and fields available, creating your own knowledge base helps your retain information and quickly find back details and personal thoughts and tips on a topic.
As for challenges, writing down your work makes sense on so many aspects :
- Practice redacting your work, improving your reporting skills if done seriously.
- Keep a trace of your work (especially if you tend to think you’re not doing enough).
- Organize your thought during the challenge and put on “paper”, schematize the problem and help make sure you’re understanding everything as you should.
Note taking should also contain what failed. Failing again and again is the essence of progress, writing a simple guide of the solution isn’t interesting to read, share or retain. The reason is : it lacks character.
Working your way through a problem and figuring what does not work should be shown as much as the solution. Would you rather read a book, watch a movie/serie where everything unveil flawlessly or feel the struggle and the overcoming of difficulty ?
In the end, writing up properly ensure you made progress, learned from mistakes and highlight valuable research. Linking a write-up to a dedicated note on concepts tied to it is also a great way to start a knowledge resource or complete it.