May 27, 2026

ctf
linux

Proving Grounds - Gaara Writeup

In this lab, you will exploit a system by brute-forcing credentials for the SSH service and escalating privileges by abusing misconfigured SUID permissions on /usr/bin/gdb. The lab highlights scenarios involving password brute-forcing and leveraging SUID binaries for privilege escalation.

Share

This is a walkthrough of the machine Gaara from OffSec's Proving Grounds Play labs.

Machine information:

  • Level: Easy
  • Community rating: Easy
  • Flags: 2
  • OS: Linux
  • Vector: SSH, local

Nmap

sudo nmap -A --open -sV -sC -v -p- <IP>

Starting off with an Nmap scan, we discover the following open ports:

  • 22 - SSH
  • 80 - HTTP

Webapp

The web application on port 80 only contains an image, and does not lead anywhere on the surface.

In retrospect, reading other writeups, the intended path for initial access involves fuzzing the web application to discover a username. While working this lab, I got lucky by inferring the correct username from the lab's name/web application title - as you will see next.

Initial access

Given the web application's title - Gaara, we can try to brute-force SSH using hydra:

hydra -l gaara -P /usr/share/wordlists/rockyou.txt <IP> -t 64 ssh

With a valid pair of credentials in hand, we can SSH in and obtain the first local.txt flag:

ssh gaara@<IP>

Privilege escalation

Using manual enumeration, looking for executables with the SUID bit set, we find /usr/bin/gdb:

find / -perm -u=s -type f 2>/dev/null

We can abuse this to escalate privileges and obtain the second proof.txt flag by running:

gdb -nx -ex 'python import os; os.setuid(0)' -ex '!/bin/sh' -ex quit

Related Articles
Proving Grounds - Potato Writeup
ctf
linux
May 24, 2026
Proving Grounds - Algernon Writeup
ctf
windows
May 22, 2026
Proving Grounds - InfosecPrep Writeup
ctf
linux
May 22, 2026
Karam Chatra
Blog
Karam Chatra
Junior Threat Intelligence Analyst
Navigation
HomeBlogDisclaimer
© 2026 Karam Chatra.