May 24, 2026

ctf
linux

Proving Grounds - Potato Writeup

In this lab, the target is exploited through bypassing PHP authentication, exploiting a local file inclusion (LFI) vulnerability, and cracking weak credentials. Privilege escalation is achieved by bypassing a directory restriction and leveraging misconfigured sudo permissions to execute arbitrary scripts as root.

Share

This is a walkthrough of the machine Potato from OffSec's Proving Grounds Play labs.

Machine information:

  • Level: Easy
  • Community rating: Intermediate
  • Flags: 2
  • OS: Linux
  • Vector: Webapp, local

Nmap

sudo nmap -A --open -sV -sC -v -p- <IP>

Starting off with an Nmap scan, we discover the following open ports:

  • 22 - SSH
  • 80 - HTTP
  • 2112 - FTP

FTP

From the Nmap scan results, we can see that anonymous login is allowed, alongside two files.

We can login to FTP and get these files to take a closer look.

ftp <IP> 2112

mget *

The first file - welcome.msg contains no useful information:

However, the second file - index.php.bak contains source code which reveals the following:

  • A hardcoded password: potato - which has likely been changed, as noted in the comment
  • Flawed authentication logic: the code checks that the supplied username is equal to "admin", and that the password is equivalent to the (likely changed) variable - $pass. However, the comparison is flawed due to the use of "==" which only checks value equivalency without type checking. Should we provide a different type of the password parameter, such as an array, the strcmp function would evaluate it as NULL and return 0, and the "==" check would evaluate to true, bypassing authentication

Webapp

With a valid username and a method to bypass authentication in hand, we need to find where the login page is.

Visiting the webapp on port 80 returns a placeholder page:

We can fuzz for other pages using multiple tools such as gobuster or dirb:

dirb http://<IP>/

Shortly after starting fuzzing, we find a page at /admin, which contains the login form:

Bypassing authentication

To start off, we need to fire up BurpSuite and capture a POST request from the form:

Using the credentials we previously found does not work:

Next, we can try to bypass authentication by intercepting and modifying the POST request as follows:

Initial access

With access to the admin dashboard, we discover a page at /admin/dashboard.php?page=log, which allows us to view log files:

Given this information, it is possible that this page is vulnerable to LFI (local file inclusion), and we can capture a request, and modify the file parameter to point to /etc/passwd, which should be readable:

After forwarding the request, we are presented with the /etc/passwd file, which also contains a password hash for the user webadmin:

To crack this hash, we can use john:

john --wordlist=/usr/share/wordlists/rockyou.txt webadmin.hash

Now, with a valid username and password in hand, we can gain access via SSH and obtain the first local.txt flag:

ssh webadmin@<IP>

Privilege escalation

Looking at which binaries we can run with sudo, we find the entry /bin/nice /notes/*:

sudo -l

Despite the restriction, we can use nice, alongside path traversal back to /bin/bash to spawn a root shell, and obtain the second proof.txt flag:

sudo /bin/nice /notes/../../../../bin/bash

Related Articles
Proving Grounds - Algernon Writeup
ctf
windows
May 22, 2026
Proving Grounds - InfosecPrep Writeup
ctf
linux
May 22, 2026
Hack The Box - Lockpick2.0 Writeup
reversing
linux
malware
May 17, 2025
Karam Chatra
Blog
Karam Chatra
Junior Threat Intelligence Analyst
Navigation
HomeBlogDisclaimer
© 2026 Karam Chatra.