Vulnhub – DC416 Fortress Walkthrough


So, I’m here with my first write-up for Vulnhub – DC416 Fortress challenge. So, we usually start by doing some enumeration on services. but before that we have to find out the IP Address of our machine.

Information Gathering

netdiscover will scan all active devices on our network. (Our Target is:

Now, that we know our target IP Address let’s find out which services are running. Nmap scan suggests that server is running FreeBSD and have few services running.

If we take a look at port 80 we have Apache server running so let’s take a look.

There’s nothing on that page i through to curl it to make sure there’s nothing hidden inside but no luck.

Now, it’s time for my favorite part directory enumeration. 🙂

So for that we have some awesome tools installed already in Kali Linux but my favorite is dirb and dirbuster. We had not luck because we couldn’t find any directory so let’s try searching for files. We know server is running Apache so why not give it a try to search for .php extensions.

let’s do it!

And we found our first lead scanner.php file. ( 🙂 let’s take a look.

So we have something here. let’s try to find out what is it?

We have a input field where we enter an IP and it runs Nmap command. Good! 🙂 Maybe we can try command injection here, so let’s take a look at it’s response through Burp.

Read About Command Injection Here:

So, we did try command injection looks like there’s some kind of filtration.

So, this didn’t worked!

let’s try again!


Now after doing ls -la we found these directories.

  • k1ngd0m_k3yz
  • s1kr3t

These two directories looks strange let’s have a look.

  • k1ngd0m_k3yz

  • s1kr3t

Now, let’s take a look inside master and passwd files.

Inside master file we have our hash. Save that to hash.txt just in case we couldn’t get any further lead.

Inside passwd file.


The first flag can be found in the s1kr3t directory.

Finally, we have found our first flag.

From our previous findings  we have found that there’s a user account named craven.

ls -la /home/craven/

Look’s like we have found our second flag inside /home/craven/ directory.

We do not have read permission for flag.txt and now let’s take a look at hint.txt and reminders.txt files.


Keep forgetting my password, so I made myself a hint. Password is three digits followed by my
pet's name and a symbol.


To buy:
* skim milk
* organic free-run eggs
* dog bone for qwerty
* sriracha

Now, that we have a hint and hint suggests that his dog name is: qwerty we’re gonna add three digits before qwerty and one symbol after and that can be done through crunch wordlist generator.

  • Qwerty
  • 3 digits
  • Symbol

This command will create every possible word.

Now, we have to crack hash.txt hash that we found earlier.

It seems that we have successfully cracked our password. 🙂



Now we’re able to get our second flag.


It’s time to get our third flag.

I did cd /home and found another user name: vulnhub. We can spot a suid binary from the user vulnhub in it’s home directory /home/vulnhub.

Inside vulnhub directory we have our third flag and reader file.

By doing file reader we have some info about reader file.

Since we can execute reader file as carven user we can read our third flag let’s try. 🙂

It seems the binary checks the filename for flag.txt so let’s try to trick this check with a symbolic link:

Now to a hard link. (

Boom! 🙂