DC416 Fortress – VulnHub

This CTF write up I am by members of the VulnHub CTF Team for DefCon Toronto’s first offline CTF.

You can download this machine from Vulnhub link provided.

Level: Beginner to Intermediate

Objective:Find three hidden Flags.


1. Start with Nmap

nmap -sV

As a result of nmap we found php is there, so let us use dirbuster to explore available directories.

2. dirb /usr/share/wordlists/dirb/big.txt -X .php

browse to the link provided by dirb

3. It is a nmap service running on web

4. Now intercept in burpsuite and try issuing commands

5. now we can find the flag in these directories.

6. Now for flag 2 we will traverse the other directory by ls directory

After opening these files master and passwd we get

craven:$6$qAgPM2TEordSoFnH$4uPUAhB.9rORkWExA8jI0Sbwn0Bj50KAK0tJ4rkrUrIkP6v.gE/6Fw9/yn1Ejl2TedyN5ziUz8N0unsHocuks.:1002:1002::0:0:User &:/home/craven:/bin/sh
craven:*:1002:1002:User &:/home/craven:/bin/sh

So now go to home folder of craven and look

7. We dont have permision to open flag.txt, so open reminder and hint


Now Hint,

8. It seems the pet name is qwerty,

So using crunch crunch 10 10 -t %%%qwerty^ -o craven.lst

and ingesting that to john the ripper

In passwd and master files we got /etc/passwd and /etc/shadow for craven
So now copy paste them into files using john unshadow

9. now Flag 2

10. For the final flag traverse to the /usr/home/vulnhub
now we have two files reader and flag.txt
refer screenshot reader is basically checking for keyword flag so trick it by making symbolic link

Flag 1 = FLAG{n0_one_br3aches_teh_f0rt}

Flag 2 = FLAG{w0uld_u_lik3_som3_b33r_with_ur_r3d_PiLL}

Flag 3 = FLAG{its_A_ph0t0_ph1ni5h}


Leave a Reply

Your email address will not be published. Required fields are marked *

14 − 4 =