PwnCollege - DOS - The Great MS-DOS!

Posted on In Views: Disqus: 
1
2
3
4
5
6
7
8
9
10
11
# get help
# command /?

# Pagination
A:\> dir /p

# Wide List Format
A:\> dir /w

# Piping to more
A:\> dir | more

cat.exe (type)

1
2
3
4
5
6
7
8
9
10
11
12
13
DOS          <DIR>         12-15-25   5:07p
COMMAND  COM        54,645 05-31-94   6:22a
WINA20   386         9,349 05-31-94   6:22a
CONFIG   SYS            71 12-15-25   5:07p
AUTOEXEC BAT            78 12-15-25   5:07p
FLAG     TXT            60 04-02-26   5:07a
        6 file(s)         64,203 bytes
                      10,428,416 bytes free

C:\>type flag.txt
pwn.college{QMkbfHdYCkFD_y-FmBdS66_cyD2.******************}

C:\>

ls.exe (dir)

DOS filenames were case-insensitive

DOS assumed that every file had a name of 8 characters or less and an “extension” (after the one allowed . in the filename) of 3 characters or less.

there is no permission or ownership information

As a side note, extensions were critical in DOS for similar reasons that they remain important in Windows: figuring out the type of file. Specifically for DOS, programs needed to be named with extensions of EXE (normal DOS executable), COM (simple, older executables that were basically just raw binary code), and BAT (a batch script containing commands to run, analogous to a weird variant of a typical shell script).

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Booting from Hard Disk...
Starting MS-DOS...


HIMEM is testing extended memory...done.
Batch file missing

C:\>dir

 Volume in drive C is MS-DOS_6
 Volume Serial Number is 5B8F-88E6
 Directory of C:\

DOS          <DIR>         12-15-25   5:07p
COMMAND  COM        54,645 05-31-94   6:22a
WINA20   386         9,349 05-31-94   6:22a
CONFIG   SYS            71 12-15-25   5:07p
FLG396   TXT            60 04-02-26   5:14a
        5 file(s)         64,125 bytes
                      10,432,512 bytes free

C:\>type flg396.txt
pwn.college{c1dnzzEBipHvxFUOKeBsqnezrlb.******************}

C:\>

Changing Disks

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
Boot failed: could not read the boot disk

Booting from Hard Disk...
Starting MS-DOS...


HIMEM is testing extended memory...done.

C:\>C:\DOS\SMARTDRV.EXE /X
C:\>d:

D:\>dir

 Volume in drive D has no label
 Volume Serial Number is 409D-8F04
 Directory of D:\

FLAG     TXT            60 04-02-26   5:15a
        1 file(s)             60 bytes
                      16,723,968 bytes free

D:\>type flag.txt
pwn.college{A_QSyVfCu23CuMIMATEp-popFEE.******************}

D:\>

Reading Floppies

floppy disks (软盘)

DOS assigned floppy drives the A: and B: drives, and “mounting” happened automatically on access (or, more specifically, there was no filesystem “mounting”; access just happened). The two letters were for computers that had both a 5.25” and a 3.5” floppy drive

load floppy in control panel

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
iPXE (http://ipxe.org) 00:03.0 CA00 PCI2.10 PnP PMM+00F91FB0+00EF1FB0 CA00



Booting from Floppy...
Boot failed: could not read the boot disk

Booting from Hard Disk...
Starting MS-DOS...


HIMEM is testing extended memory...done.

C:\>C:\DOS\SMARTDRV.EXE /X
C:\>a:

A:\>cat flag.txt
Bad command or file name

A:\>type flag.txt
pwn.college{USkPRtXd3nCSZPKf6MUGwdJLU8J.******************}

A:\>

Installing MS-DOS

use the provided floppies to install MS-DOS 6.22

since each floppy only holds 1.44mb, it was necessary to ship software in multiple floppies. MS-DOS 6.22 used three disks

load floppy in control panel from 0 to 2 and follow the wizard

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
SeaBIOS (version rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org)


iPXE (http://ipxe.org) 00:03.0 CA00 PCI2.10 PnP PMM+00F91FB0+00EF1FB0 CA00



Booting from Floppy...
Boot failed: could not read the boot disk

Booting from Hard Disk...
Starting MS-DOS...


HIMEM is testing extended memory...done.

C:\>C:\DOS\SMARTDRV.EXE /X
C:\>a:

A:\>type flag.txt
pwn.college{gF-MZnE1WGsp7qf0RwDh0DJDe2c.******************}

A:\>

autoexec.bat

Any boot process includes not just the loading of the OS itself, but its initialization. In DOS, this was elegantly handled by autoexec.bat, a script that specified what commands would run when the system booted.

you can access the various menu items using your Alt key (e.g., Alt-F to open the File menu).

modify the file from del to type

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
SeaBIOS (version rel-1.17.0-0-gb52ca86e094d-prebuilt.qemu.org)


iPXE (http://ipxe.org) 00:03.0 CA00 PCI2.10 PnP PMM+00F91FB0+00EF1FB0 CA00



Booting from Floppy...
Boot failed: could not read the boot disk

Booting from Hard Disk...
Starting MS-DOS...


HIMEM is testing extended memory...done.

C:\>type c:\flag.txt
pwn.college{UBwCBfcUDi1W3W0o4QuVdHGB6rH.******************}

C:\>

doskey

Once doskey is loaded, you gain access to command history with up/down arrows and command line editing

上下箭头 :浏览命令历史记录 左右箭头 :在行内移动光标 F7 :在弹出窗口中显示命令历史记录 F9 :按编号选择命令

FUN FACT: doskey was introduced in MS-DOS 5.0 (1991) and was a game-changer for productivity. Before doskey, if you made a typo in a long command, you’d have to retype the whole thing!

edit and add doskey at top of autoexec.bat and quit relaunch

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
C:\>
C:\>echo pwn.college{
pwn.college{

C:\>echo 011NPLaz5mkZ
011NPLaz5mkZ

C:\>echo PSINV-xsu6g7
PSINV-xsu6g7

C:\>echo 7JI.********
7JI.********

C:\>echo **********}
**********}

C:\>

pwn.college{011NPLaz5mkZPSINV-xsu6g77JI.******************}

DOS Networking

install the packet drivers (make sure to specify the interrupt!) install and configure mtcp netcat to 192.168.13.37 port 1337 for the flag!

load pcnet floppy

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
PKTCHK   COM           856 01-28-92   9:58p
PKTMODE  COM         1,728 01-28-92   9:58p
PKTMULTI COM         1,822 01-28-92   9:59p
PKTRING  COM         2,420 01-28-92   9:59p
PKTSEND  COM         2,346 01-28-92   9:59p
PKTSTAT  COM         1,693 01-28-92   9:59p
PKTTRAF  COM         6,019 01-28-92   9:59p
TERMIN   COM         1,419 01-28-92   9:58p
TRACE    COM         2,124 01-28-92   9:58p
WINPKT   COM         3,617 01-28-92   9:59p
       18 file(s)        116,641 bytes
                         192,512 bytes free

A:\PKTDRVR>pcntpk int=0x60
Packet driver for an PCNTPK, version 03.10
Packet driver skeleton copyright 1988-92, Crynwr Software.
This program is free software; see the file COPYING for details.
NO WARRANTY; see the file COPYING for details.

Packet driver is at segment 0BC8
Interrupt number 0xB (11)
I/O port 0xC000 (49152)
My Ethernet address is 52:54:00:12:34:56

A:\PKTDRVR>

load mtcp floppy

netcat to 192.168.13.37 port 1337 for the flag!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
set mtcpcfg=ftp.cfg

# need edit yourself
A:\>type ftp.cfg
PACKETINT 0x60
IPADDR 192.168.13.100
NETMASK 255.255.255.0
GATEWAY 192.168.13.1
NAMESERVER 192.168.13.1
MTU 1500

A:\>set mtcpcfg=ftp.cfg

A:\>nc -target 192.168.13.37 1337
mTCP Netcat by M Brutman (mbbrutman@gmail.com) (C)opyright 2007-2025
  Version: Jan 10 2025

Resolving server address - press Ctrl-Break to abort

Server resolved to 192.168.13.37 - connecting

Connected!

pwn.college{sig-JqvzdYNSstfBBdU6WAW8lln.******************}

Elapsed time: 0.00   Bytes sent: 0  Received: 60

A:\>