Frequently Asked Questions

Generalities

What is Hackropole?

Hackropole is a platform to archive the challenges of the France Cybersecurity Challenge (FCSC). Challenges can be replayed by anyone, with or without an account. Participants wishing to log in with an account (Discord, GitHub or GitLab) will unlock additional features such as progress tracking, the ability to submit solutions to challenges, and get a system of bookmarks for challenges and solutions.

What is the France Cybersecurity Challenge (FCSC)?

The FCSC is an annual jeopardy-style CTF organized by ANSSI (the National Cybersecurity Agency of France) to select the French team for the European Cybersecurity Challenge (ECSC).

The dates for the last editions were:

• in 2019, from May 13 to May 22,
• in 2020, from April 24 to May 4,
• in 2021, from April 23 to May 3,
• in 2022, from April 29 to May 8,
• in 2023, from April 21 to April 30,
• in 2024, from April 5 to April 14.

To find out more about FCSC, visit https://france-cybersecurity-challenge.fr/.

What was my ranking at the FCSC of year N?

You can find your rankings for every FCSC on the following pages:

• FCSC 2024
• FCSC 2023
• FCSC 2022
• FCSC 2021
• FCSC 2020
• FCSC 2019

What is the European Cybersecurity Challenge (ECSC)?

Bringing together between 20 and 30 European countries each year, the European Cybersecurity Challenge (ECSC) allows national teams to compete with each other in various categories (cryptography, web, reverse engineering, pwn, forensics, hardware, etc.). The French team consists of 10 players aged between 14 and 25, selected during the France Cybersecurity Challenge (FCSC) to represent France at the ECSC.

The latest editions took place in:

• in 2018, from October 14 to 17 in the United Kingdom (London).
• in 2019, from October 9 to 11 in Romania (Bucharest).
• in 2021, from September 28 to October 1 in the Czech Republic (Prague).
• in 2022, from September 13 to 16 in Austria (Vienna).
• in 2023, from October 24 to 27 in Norway (Hamar).

To find out more about FCSC, visit https://ecsc.eu/.

What happens if I find an error or a vulnerability on the platform?

If you identify a bug or a vulnerability in a challenge or on the platform, you can share this information with the ANSSI organizing team using the email address hackropole[at]ssi.gouv.fr.

Challenges

I’m a beginner, where should I start?

Every year, the FCSC tries to provide challenges for beginners in cybersecurity and CTF. Hackropole collects these challenges under the intro tag, and you can find them by clicking on Challenges and sorting them by difficulty.

How do I solve a challenge?

To solve a challenge, you should start by reading the description provided on the associated page. In most cases, there are files listed on the challenge page that need to be downloaded. These files can be in various formats, such as a Python script, a text file, a network capture, an image, etc.

For some challenges, a special file to download is docker-compose.yml, which allows you to run the challenge locally on your machine. This could be a website to analyze, a binary to exploit, a cryptographic oracle containing a secret to extract, etc. You will need to have Docker installed for this (see further instructions).

How is the difficulty of challenges estimated?

On Hackropole and during the FCSC, challenges are divided into four difficulty levels:

• introductory challenges intro,
• easy challenges ⭐,
• medium challenges ⭐⭐,
• hard challenges ⭐⭐⭐.

The difficulty is estimated by the organizing team and may be re-evaluated based on the actual perceived difficulty by players at the end of the FCSC.

Can I use automated brute-force tools?

Automated brute-force tools like dirbuster, dirb, wfuzz, sqlmap, nmap, nikto, hydra and similar tools are not useful. If you use them, you are not on the right track.

Categories

What are the challenges in the “Crypto” category?

Challenges in the crypto category relate to the field of cryptography and require analyzing or finding weaknesses in cryptographic algorithms or protocols. This could involve analyzing hash functions, elliptic curves, RSA-based cryptosystems, block cipher algorithms, etc.

If you are a beginner in this category, we recommended you start with these introductory challenges:

• intro Clair connu
• intro ROT13
• intro SMIC 1
• intro SMIC 2

What are the challenges in the “Forensics” category?

Challenges in the forensics category involve digital investigation, which is the analysis of various digital media (memory dumps, hard drives, smartphones, etc.) to find some indication of compromise.

If you are a beginner in this category, we recommended you start with these introductory challenges:

• intro Cap ou Pcap
• intro Rituel en chaine
• intro Échec OP 0/3

What are the challenges in the “Hardware” category?

Challenges in the hardware category cover various concepts related to the lowest levels of cybersecurity, including the analysis of electronic circuits, the study of radio signals, attacks using side channels, fault attacks, and more.

If you are a beginner in this category, we recommended you start with these introductory challenges:

• intro Ne pas jeter l’éponge
• intro Waterfall
• intro Dystylosaurus
• intro Seven Sins

What are the challenges in the “Misc” category?

Challenges in the misc category encompass a wide range of challenges that do not directly fit into other categories, but still present interesting technical aspects. These may include programming challenges, algorithmic problems, system administration challenges, industrial systems security, etc.

If you are a beginner in this category, we recommended you start with these introductory challenges:

• intro A l’envers
• intro Tri Sélectif
• intro QRCode

What are the challenges in the “Pwn” category?

Challenges in the pwn category involve exploiting vulnerabilities in binary programs, essentially on GNU/Linux. The challenges are provided in the form of compiled binaries, sometimes with their dependencies or source code, along with a Docker image for simulating access to the binary in its environment. The goal of these challenges is typically to read a file on the remote system or get a shell on that machine.

If you are a beginner in this category, we recommended you start with these introductory challenges:

• intro bofbof
• intro Shellcode
• intro uid
• intro Poney

What are the challenges in the “Reverse” category?

Challenges in the reverse category require understanding the operations of a provided program solely in the form of a compiled binary. The target architectures can vary, ranging from standard 64-bit ELF or PE binaries for GNU/Linux or Windows to ARM or MIPS processors, and even more exotic architectures like video game consoles.

If you are a beginner in this category, we recommended you start with these introductory challenges:

• intro Tarte Tatin
• intro ybab
• intro Guessy

What are the challenges in the “Web” category?

Challenges in the web category involve analyzing a web application, with or without their source code, to find exploitable vulnerabilities that allow reading files on the remote system, accessing a database, impersonating a user with high privileges, etc. Challenges in this category are also provided in the form of Docker containers.

If you are a beginner in this category, we recommended you start with these introductory challenges:

• intro NES Forever
• intro Header
• intro Babel Web
• intro Scully 1

Write-ups

How can I read the write-ups?

To view a write-up, you must first validate the challenge by entering a valid flag. Once you have found and entered that flag in the dedicated field, the list of available solutions for that challenge will appear on the page.

What do the write-ups contain?

The write-ups published on Hackropole contain the steps to solve the challenges.

Who writes the write-ups?

The write-ups published on Hackropole are primarily written by the community. In some cases, the Hackropole team or authors of certain challenges may also provide write-ups.

How can I submit a write-up?

To submit a write-up for a challenge on Hackropole, you must start by solving the challenge. Then, you need to log in into your account using one of the authentication providers (e.g., GitHub, Discord or GitLab) and submit the challenge flag along with a link to a GitHub Gist or a GitLab Snippet containing the write-up in Markdown format.

It is important to use the Markdown format; otherwise, your write-up may not be accepted. You are free to include images within your write-up.

How are the write-ups verified?

Write-ups are manually verified by the Hackropole team. All write-ups are reviewed before a decision to accept or reject it is made.

Since verifications are performed manually, time of acceptance may vary widely depending on the workload of the Hackropole moderators.

How can I increase the chances of my write-up being accepted?

To increase the chances of your write-up being accepted, here are some criteria that Hackropole moderators look for in each write-up (not an exhaustive list):

• Pedagogical quality of the solution,
• Quality of writing (no spelling or grammar errors),
• Originality of the resolution technique,
• Reproducibility of the solution (provide complete scripts),
• Limited redundancy with already published solutions.

Docker Installation

How do I install Docker on Microsoft Windows?

We recommend reading the official Docker documentation.

How do I install Docker on GNU/Linux ?

We recommend reading the official Docker documentation.

If the docker compose command does not exist on your machine (introduced in 2020), we recommend updating Docker following the official instructions.

If you wish, and if your distribution allows it, you can use Docker in “rootless” mode by following these instructions.

How do I install Docker on Apple Mac?

We recommend reading the official Docker documentation.

If you encounter issues related to using a Mac with an Apple Silicon processor, please contact us on Discord or at hackropole[at]ssi.gouv.fr.

How do I launch a challenge with Docker?

To launch a Docker challenge, simply download the docker-compose.yml file from the corresponding page, then execute the following command in a terminal in the same location: docker compose up. Then, simply follow the instructions on the challenge page to access the service.

Contribute to Hackropole

How is the Hackropole website generated?

Challenges and writeups are written in Markdown format. We then use the Hugo static site generator to generate the HTML, CSS and JavaScript content for this site.

Where can I find the source code of the Hackropole website?

The Hugo theme used to generate the static site is published under MIT license on github.com/ANSSI-FR/hackropole-hugo. An example site with a few challenges and writeups is provided for testing the theme locally. We invite you to reuse this theme and suggest modifications.

You did not find your answer?

For any further question missing from this page that you might have, please contact us, preferably using the dedicated Discord server, or otherwise, using regular email hackropole[at]ssi.gouv.fr.