A file is present log.txt. Used the get command to download it.
log.txt contain important information about ftp and NFS
ssh key location
Anonymous ftp login allowed
Using the nmap command above, how many shares have been found?
3
Once you're connected, list the files on the share. What is the file can you see?
log.txt
What port is FTP running on?
21
What mount can we see?
/var
Enumerate RPC Bind
We have /var directory as mount
Gain initial access with ProFtpd
search for exploits for proFtpd 1.3.5
The vulnerable Proftpd 1.3.5 version allows copying of files unauthenticated. copy the ssh key we found earlier to var folder.
The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.
Now we can mount the /var folder on our machine and get the private key
copy the key to current folder and use that to access the machine
Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.
What is the version?
1.3.5
How many exploits are there for the ProFTPd running?
4
What is Kenobi's user flag (/home/kenobi/user.txt)?
d0b0f3f53b6caa532a83915e19224899
Priv Escalation
check for SUID binaries
we found a suspicious binary
checking the strings, we get to know that the binaries are being called without full path
copy the shell to the current directory and rename it to curl, add permissions to it and add it to PATH
Now run menu and select the option and we will get the root shell. using curl did not work for me
which sh
cp /bin/sh . \\or echo /bin/sh > ifconfig
cp sh ifconfig
chmod +xs ifconfig
export path = /home/kenobi:$PATH
searchsploit -m 36803.py
python2 -m pip install requests
\\did not work for me, we may need write permissions for it to work. It also has metasploit version which will not work as well