Deploy the vulnerable machine

Make sure you're connected to our network and deploy the machine

No answer needed

Scan the machine with nmap, how many ports are open?

Run nmap -A -p- IP. Ignore the ports with an ending like this:"(RPC #100****)" 7

Enumerating Samba for shares

Using the nmap command above, how many shares have been found?

3

Once you're connected, list the files on the share. What is the file can you see?

log.txt

What port is FTP running on?

21

What mount can we see?

/var

Gain initial access with ProFtpd

What is the version?

1.3.5

How many exploits are there for the ProFTPd running?

4

We know that the FTP service is running as the Kenobi user (from the file on the share) and an ssh key is generated for that user.

No answer needed

We knew that the /var directory was a mount we could see (task 2, question 4). So we've now moved Kenobi's private key to the /var/tmp directory.

No answer needed

What is Kenobi's user flag (/home/kenobi/user.txt)?

After connecting to ssh using the "id_rsa" run cat user.txt to get the flag.

d0b0f3f53b6caa532a83915e19224899

Privilege Escalation with Path Variable Manipulation

What file looks particularly out of the ordinary?

/usr/bin/menu

Run the binary, how many options appear?

3

We copied the /bin/sh shell, called it curl, gave it the correct permissions and then put its location in our path. This meant that when the /usr/bin/menu binary was run, its using our path variable to find the "curl" binary.. Which is actually a version of /usr/sh, as well as this file being run as root it runs our shell as root!

No answer needed

What is the root flag (/root/root.txt)?

Run cat /root/root.txt to get the flag.

177b3cd8562289f37382721c28381f02