Contents

10 commandments of writing solution

The 10 commandments of writing solution

Introduction

You just managed to flag a challenge and you wanna share how you did it ? Root-Me allows you to redact your own write-up, that will be posted on the challenge page. However, these solutions are reviewed by the members of Root-Me before being accepted. Here are a few good practices and rules to follow when writing your solution to make sure it will be accepted (and as quickly as possible…) !

1. Re-read yourself

Basic. The reading should be easy and fluid. No need to write like Shakespeare but typos and spelling errors are to be avoided. Make sure that your solution is written in proper english (or whichever language you chose). Be kind to the ones who are checking your solution : nobody likes to lose 15min correcting a write-up from someone else. We won’t shame you for a few mistakes but do your best to make the checker’s work simple.

Pro-Tips : LanguageTool is a nice browser addon to avoid typos.

2. Use the Rich Text Editor

Root-Me works with the SPIP markup language. It enables you to make your solution a lot easier to read. You can make titles, subtitles, bold, italic, code snippets (with syntaxic coloration <code class="python"></code>), add images… It’s up to you to write a solution that is pleasant to read - for the checker and for the future challengers who will read it.

Pro-Tips : A quick help for the SPIP syntax can be found here : https://www.root-me.org/?page=structure&inc=inclusions/legende&lang=en%20#syntaxe.

It also works with Markdown (<md></md> tags), but the syntactic coloring is not present, making it less pleasant to read.

Pro-Tips : You can use the HexPandaa’s tool md2rm to convert your markdown to SPIP syntax.

3. Don’t leak flags

You are proposing a solution : we know that you solved the challenge. No need to show the flag in plaintext to prove, we believe you I promise.
Do this prevent people from leaking your solution on the Internet with the flag inside.

4. Verify that your solution doesn’t already exist

What is interesting with this system it to discover many different solutions to a same challenge. If the way you solved the challenge is already described in another solution, no need to make a doublon.

The number of solutions is capped at 10, but if you think you’ve got an amazing new solution that should be on the platform, you can talk about it on Discord and maybe we will add it.

5. Verify that your solution is interesting

Your solution could be different from the other ones but if it brings nothing more we don’t want it either. Magic online tools to solve the challenge are cool but they are not that interesting. We’re pretty sure that’s not the kind of trick you want to see when you explore solutions.

For example, for programming challenges, you can check that you’re not posting a solution in the same programming language or with the same library.

6. Insert images

It can help a lot your reader to understand what you are explaining. It depends on the context, but images are generally welcomed and are very useful to visualize the concepts or the tricks you are describing.

Pro-Tips : If you are a member, you can edit your solution in the Root-Me’s backend

The first thing to do is to select an image or document on your computer. Next, place your cursor where you wish to insert your image. Finally, click on the document identifier, and possibly on the image position.

/assets/images/posts/upload_image_solution.png

For example, we add the same image twice, once normally and once to the right of the text.

/assets/images/posts/upload_image_solution2.png

Finally, we can preview our solution to see the images.

/assets/images/posts/upload_image_solution3.png

7. Explain your code

If you decide to include your script in your solution, describe as detailed as you can how it works. Your reader might not know what the line 19 does, even if it’s pretty clear for you. Comments are not mandatory but they are a great way to achieve it.

import requests
import json

# Define your API key
api_key = "your_api_key_here"

# Make a request to the API using the API key in the headers
headers = {
    "Authorization": f"Bearer {api_key}"
}

    # Send a GET request to the API endpoint
    response = requests.get("https://api.example.com/data", headers=headers)

    # Check if the response status code is 200 (OK)
    if response.status_code == 200:
        # Parse the JSON data from the response
        data = json.loads(response.text)

        # Now you can work with the JSON data
        for item in data:
            print(f"Item ID: {item['id']}")
            print(f"Item Name: {item['name']}")
            print(f"Item Description: {item['description']}")
        print("Data parsing successful.")

    else:
        print(f"Error: Unable to fetch data from the API. Status code: {response.status_code}")

8. Test your solution

Your original solution might be ugly and you polished it later. Or you found an elegant trick right after solving the challenge. The challenge could even have been fixed and prevent your workaround. You have to make sure that everything you are proposing is fully functionnal. It would be ironic that a solution doesn’t even work, right ?

9. Quote your sources

It might happen that someone find your solution deeply interesting. This person would obviously want to dig the subject. Leave some links of what you used as a reference, or what you came through during your research. It’s also a way to give credit to the ones who wrote it.

10. Structure your text

The organization is your choice. However, try to avoid big and indigestible block of text. You can use lists, headers, blank spaces… Once again, the main goal is to make the solution easier to read.

Solution Template

And now you’re thinking that’s a lot to add and think about, and you’re already doing enough steganoguessing challenges as it is. But don’t worry, we’ve even made a template you can use as a basis for your solutions!

{{{ Name }}}

{{ Description }}

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Morbi in venenatis lacus. 

<quote>

In iaculis odio non ligula pulvinar aliquet. Sed in turpis non lacus malesuada mollis. 

</quote>

{{ 1. Step 1 }}

In iaculis odio non ligula pulvinar aliquet. Sed in turpis non lacus malesuada mollis. 

{{ 2. Step 2 }}

In iaculis odio non ligula pulvinar aliquet. 

|| Informations | Title ||
|  cell1  |  cell2  |
|  cell3  |  cell4  |


{{ 3. Step 3 }}

In iaculis odio non ligula pulvinar aliquet. Sed in turpis non lacus malesuada mollis. 

- Exploitation code

<code class="python">
from requests get

get("https://challenge01.root-me.org/")
</code>

{ Lorem ipsum dolor sit amet, consectetur adipiscing elit }


{{ Ressources }}
- https://www.root-me.org/?page=structure&inc=inclusions%2Flegende&lang=fr
- [The Blog -> https://blog.root-me.org/]

BONUS : Give a shootout

Last but not the least. Root-Me and infosec generally is a community. Someone created the challenge you just solved, and the roles could be reversed someday. Don’t hesitate to thank this person, it is always a pleasure for anyone who worked hard to share something with a community he loves.

Thanks

A heartfelt thank you to all the contributors on Root-Me. Your efforts, regardless of their level of completion, contribute to our cybersecurity community’s growth. Keep learning, sharing, and inspiring. Special thanks for B.A.Seven for writing the core of the article and Elweth for the solution template. ❤️