DC Challenges


The DC challenges are a series of purposely vulnerable labs for the purpose of gaining experience in the world of penetration testing.

I started creating these vulnerable VMs so that beginners (people like me) can get an idea of what is involved with trying to break into a system (legally).

When I started doing these kind of challenges late last year, I found that quite a few were more like puzzles. While they were fun, I was also a bit disappointed as I wanted to find some challenges that were more...realistic. That isn't to say that they were bad or not challenging, but I did get a bit tired of seeing the same things over and over again.

So, with that in mind, you won't see:

  • Any flags that have been base64 encoded
  • Any brainfuck encoded flags
  • Any "secret" text hidden in images (steganography)

While DC-1 and DC-2 both have hints/clues as flags, from DC-3 onwards, there are no clues, just one flag that can be obtained with root privileges (directly, or indirectly).


You can read more about each DC challenge by clicking on the links below. They can also be downloaded from there as well.









Guide to Building Vulnerable VMs

I've had a few people ask me recently how I go about building vulnerable VMs, so I thought that I'd write up a little guide to help others who might be thinking of creating their own vulnerable CTF or boot2roots.

You can read about it here.

Starting Out

I've also had some people new to CTFs and Boot2Roots contact me wanting to know some information about what to do after they've downloaded a VM.

I've written an article - which is a walkthrough of DC-5 - which should give people new to CTFs and Boot2Roots a bit of an idea.

You can read the walkthrough here.


I'm also very interested in hearing how people go about solving these challenges, so if you're up for writing a walkthrough, please do so and send me a link, or alternatively, follow me on Twitter, and DM me (you can unfollow after you've DM'd me if you'd prefer).

I can be contacted via Twitter - @DCAU7