The Great MS-DOS!

Let's start with the basics!

You interact with DOS using the commandline. I'm sure you're quite familiar with cat /flag in Linux (and if not, you can learn it!). In DOS, the cat equivalent is type. Like cat's default usage, type types out the file contents to the screen.

Let's dig in! The flag is in the flag.txt file of the C: drive. What the heck is the C drive? Roughly speaking, it's the DOS equivalent of /: it's the primary disk of the machine. The top-level directory of the C: drive is where DOS puts you when it boots up:

Booting from Hard Disk...
Starting MS-DOS...

C:\>

That prompt means:

• C:: you are in the C: drive
• \: you are in the top-level directory (yes, DOS uses \ instead of / for directory separators!!!)
• > : this is the end of the prompt

Since you're already in C:\ and the flag is in C:\flag.txt, you can, like in Linux, just refer to it here as flag.txt. So, boot up your DOS (using /challenge/launch), and read the flag!

NOTE: This challenge requires a GUI to interact with the DOS machine, and so must be accessed through the desktop interface.

*NOTE: You can't select text directly from DOS! That technology simply didn't exist. However, you can use the "copy" functionality on the challenge Text User Interface to copy the whole screen to the clopboard, and extract the flag from there!

Now you know how to cat: type! What about ls? The way to list a directory in DOS is with the dir command! It works more or less like ls. For example:

C:\>dir

 Volume in drive C is MS-DOS_6
 Volume Serial Number is 5B8F-88E6
 Directory of C:\

DOS          <DIR>         12-15-25   5:07p
COMMAND  COM        54,645 05-31-94   6:22a
WINA20   386         9,349 05-31-94   6:22a
CONFIG   SYS            71 12-15-25   5:07p
FLAG     TXT            22 12-16-25   6:11a
        5 file(s)         64,087 bytes
                      10,432,512 bytes free

Look familiar? The same basic information is there, with three clear differences:

• First, everything is upper case? DOS filenames were case-insensitive! You can address FLAG.TXT as flag.txt, Flag.TXT, fLaG.TxT, or whatever casing you prefer!
• Second, DOS assumed that every file had a name of 8 characters or less and an "extension" (after the one allowed . in the filename) of 3 characters or less. You can see that assumption in the layout of the first two colums! The authors of dir expected you to mentally slot the . in there between the name and extension.
• Third, there is no permission or ownership information. DOS simply didn't have that. Simpler times!

This level renames flag.txt to flgXYZ.img, with random numbers for X, Y, and Z. Find the file and get the flag!

FUN FACT: As a side note, extensions were critical in DOS for similar reasons that they remain important in Windows: figuring out the type of file. Specifically for DOS, programs needed to be named with extensions of EXE (normal DOS executable), COM (simple, older executables that were basically just raw binary code), and BAT (a batch script containing commands to run, analogous to a weird variant of a typical shell script).

So, C:... What if you have more than one disk? In Linux, you'd "mount" it somewhere in the filesystem, such as /media/mydisk, but in DOS, every disk gets its own drive letter. A second hard drive will be named D:!

In this level, we loaded up the flag to D:. How to switch drives? Just type the letter and a colon:

C:\> P:
P:\>

Of course, we don't have a P drive, but we do have a D drive, and there's a flag in there! Go get it!

So, drives get letters. DOS used drives for storage (typically, spinning magnetic media), and you use drives to this day (typically, solid state drives). But DOS used something else: floppy disks.

The original floppy disk, hailing from the year 1971, was large (8 inches in diameter) and actually floppy. As time went on, the disks got smaller (first 5.25 inch, then finally 3.5 inches) and less floppy (the 3.5" inch floppy, which is the iconic 💾 floppy disk known to everyone of a certain age, was a floppy disk in a rigid plastic shell), but the general idea stayed the same: a circle magnetic media would have data written to it and read from it using a magnetic writer head housed in the floppy drive.

3.25 floppy disks were inserted into a slot in the floppy drive (making a satisfying click/thunk as the spring engaged!) and ejected by pressing a button (making a satisfying thunk/twang as the spring pushed them out!). In this dojo, this is emulated using the QEMU monitor TUI: you can load a disk from a list of disks and the disk loaded in the drive, but no cool audible/hactic feedback yet!

DOS assigned floppy drives the A: and B: drives, and "mounting" happened automatically on access (or, more specifically, there was no filesystem "mounting"; access just happened). The two letters were for computers that had both a 5.25" and a 3.5" floppy drive, but in this dojo, we only have one drive: A:.

This challenge places the flag.txt file in a floppy. Load it, switch to the A: drive, and type out the flag!

Until now, you have used DOS. Now, it's time to install it! You can use the provided floppies to install MS-DOS 6.22. Note that since each floppy only holds 1.44mb, it was necessary to ship software in multiple floppies. MS-DOS 6.22 used three disks, and you'll need to do some floppy juggling via the QEMU text interface to get everything set up.

Anyways, go install MS-DOS 6.22, load the flag floppy, and read the flag!

Any boot process includes not just the loading of the OS itself, but its initialization. In DOS, this was elegantly handled by autoexec.bat, a script that specified what commands would run when the system booted.

The autoexec.bat in this challenge deletes c:\flag.txt. To get the flag, you'll need to edit (that's the DOS text editor!) autoexec.bat to stop it from doing this. The edit editor is a TUI (Text User Interface) that is most similar to something like Linux's nano: you can access the various menu items using your Alt key (e.g., Alt-F to open the File menu).

In this challenge, you will need to:

• edit autoexec.bat to stop it from deleting the flag on startup
• quit the interface and relaunch it (this will reload the flag onto the disk)

Good luck!

You may have noticed that DOS is missing some niceties of the Linux commandline, such as command history. Luckily, this functionality can be enabled, via the doskey command! Once doskey is loaded, you gain access to command history with up/down arrows and command line editing (in case you hadn't noticed, left/right arrows haven't worked properly so far either)!

To enable doskey, just run:

C:\> doskey

Now you can press the up arrow to recall previous commands! Some useful doskey features:

• Up/Down arrows: Navigate command history
• Left/Right arrows: Move cursor within the line
• F7: Display command history in a popup
• F9: Select a command by number

This challenge will type (as if it's a user!) the flag as series of commands, then clear the screen. These command will be added to the history buffer, but only if doskey is running! And, again, by default, DOS doesn't have doskey running.

To solve it, you must edit autoexec.bat to have doskey loaded before those commands are typed. Once you have it in autoexec.bat, quit the challenge in text interface and relaunch it to retrigger the flag entry! If you manage to pull it off, you'll be able to scroll up (or display the full history) and copy out the flag!

FUN FACT: doskey was introduced in MS-DOS 5.0 (1991) and was a game-changer for productivity. Before doskey, if you made a typo in a long command, you'd have to retype the whole thing!

DOS predates modern networking by quite a long time. This means that networking in MS-DOS is somewhat awkward, but it also means that MS-DOS has support for a wide range of very different network technologies! So, it's a good thing, maybe?

Regardless, the design of DOS means that there is no kernel-resident network stack, unlike in modern operating systems. Instead, a driver is yeeted into some chunk of memory (which we'll cover in future additions to this module!), and registered to handle an x86 interrupt (typically something like int 0x60). Then the network program itself implements the entire networking stack: ARP, IP, DHCP, TCP, and all that fun stuff! Quite a wild lift!

Of course, this requirement made things very complicated. First, as this was before the rise of Open Source Software and widely available libraries, this induced a heavy development requirement on anyone that wanted to ship networked applications. Second, it required every different network application to be configured separately by the user! What a pain...

In this challenge, you'll experience some of this pain! You will need to:

• install the packet drivers (make sure to specify the interrupt!)
• install and configure mtcp
• netcat to 192.168.13.37 port 1337 for the flag!

You have the floppies you need. Good luck!

FUN FACT: This challenge is derived from Day 11 of the 2025 pwn.college Advent of Pwn, which inspired this whole dojo!