RedTeam
2.Scanning-and-Enumeration
3.Ports
Ports-Links
20-and-21-FTP
Proftpd

ProFTPd

ProFtpd is a free and open-source FTP server, compatible with Unix and Windows systems. Its also been vulnerable in the past software versions.

Lets get the version of ProFtpd. Use netcat to connect to the machine on the FTP port.

We can use searchsploit to find exploits for a particular software version.

You should have found an exploit from ProFtpd's mod_copy module. 

The mod_copy module implements SITE CPFR and SITE CPTO commands, which can be used to copy files/directories from one place to another on the server. Any unauthenticated client can leverage these commands to copy files from any part of the filesystem to a chosen destination.

We know that the FTP service is running as the X user (from the file on the share) and an ssh key is generated for that user. 

We're now going to copy X user private key using SITE CPFR and SITE CPTO commands.

We knew that the /var directory was a mount we could see. So we've now moved Kenobi's private key to the /var/tmp directory.

Lets mount the /var/tmp directory to our machine

mkdir /mnt/kenobiNFS  
mount machine_ip:/var /mnt/kenobiNFS  
ls -la /mnt/kenobiNFS

We now have a network mount on our deployed machine! We can go to /var/tmp and get the private key then login to Kenobi's account.