Root-me: Orchard foraging¶
Welcome to Root-Me’s tangled groves—where web apps dangle like overripe fruit, each one begging to be plucked, squeezed, and juiced for flags. These challenges aren’t just vulnerable; they’re a masterclass in digital botany, where XSS blooms like mold on forgotten apples, SQLi worms tunnel through the pulp of poorly pruned queries, and authentication bugs rot the tree from the roots up. Every branch (challenge) is a lesson: sometimes the sweetest fruit hangs lowest (hello, admin:admin), and sometimes you are just one prototype pollution beetle away from collapsing the whole canopy.
Root-Me is the wilderness survival trial:
- Root-Me Web client challenges
- Root-Me Web server challenges
- Insecure code management
- Directory traversal
- File upload: null byte
- PHP assert()
- PHP Filters
- PHP Register globals
- JWT Introduction
- JWT (not) revoked token
- JWT weak secret
- Python: Server-side Template Injection Introduction
- Command injection: filter bypass
- Java: Server-side Template Injection (SSTI)
- Local file inclusion
- Local file inclusion: double encoding
- PHP preg_replace
- PHP type juggling
- SQL injection: authentication
- SQL injection: string
- XSLT code execution
- PHP path truncation
- PHP serialisation
- SQL injection: numeric
- SQL injection: routed
- SQL truncation
- XPath injection: authentication
- SQL injection: time-based
Last update:
2025-05-12 14:16