msf6 auxiliary(scanner/ftp/anonymous) > use auxiliary/scanner/ftp/ftp_version
msf6 auxiliary(scanner/ftp/ftp_version) > set rhost 192.168.56.102
rhost => 192.168.56.102
msf6 auxiliary(scanner/ftp/ftp_version) > exploit

[+] 192.168.56.102:21     - FTP Banner: '220 Microsoft FTP Service\\x0d\\x0a'
[*] 192.168.56.102:21     - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

On voit que on a un service FTP Microsoft. On peut donc essayer de se connecter via FTP dans un premier temps.

msf6 auxiliary(scanner/ftp/ftp_version) > ftp 192.168.56.102
[*] exec: ftp 192.168.56.102

Connected to 192.168.56.102.
220 Microsoft FTP Service
Name (192.168.56.102:shenzen): vagrant
331 Password required for vagrant.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls
229 Entering Extended Passive Mode (|||49362|)
125 Data connection already open; Transfer starting.
01-09-22  02:14AM       <DIR>          aspnet_client
01-09-22  02:11AM                   28 caidao.asp
01-09-22  02:11AM                34251 hahaha.jpg
01-09-22  02:11AM              1116928 index.html
01-09-22  02:11AM              2439511 seven_of_hearts.html
01-09-22  02:11AM               384916 six_of_diamonds.zip
01-09-22  02:14AM               184946 welcome.png
226 Transfer complete.

On peut récupérer le contenu de tout les fichiers en utilisant la commande suivante:

┌──(shenzen㉿shenzen)-[~]
└─$ wget -m <ftp://vagrant:[email protected]>
--2023-01-05 11:06:00--  <ftp://vagrant:*password*@192.168.56.102/>
           => ‘192.168.56.102/.listing’
Connecting to 192.168.56.102:21... connected.
Logging in as vagrant ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD not needed.
==> PASV ... done.    ==> LIST ... done.

On obtient la liste de fichiers suivant :

125 Data connection already open; Transfer starting.
01-09-22  02:14AM       <DIR>          aspnet_client
01-09-22  02:11AM                   28 caidao.asp
01-09-22  02:11AM                34251 hahaha.jpg
01-09-22  02:11AM              1116928 index.html
01-09-22  02:11AM              2439511 seven_of_hearts.html
01-09-22  02:11AM               384916 six_of_diamonds.zip
01-09-22  02:14AM               184946 welcome.png
226 Transfer complete.

On remarque qu’il y a un zip qui est protégé par un mot de passe, on essaye de se renseigner sur quel est le type du zip. On voit qu’il y a une image.

┌──(shenzen㉿shenzen)-[~/192.168.56.102]
└─$ zipinfo six_of_diamonds.zip
Archive:  six_of_diamonds.zip
Zip file size: 384916 bytes, number of entries: 1
-rw-a--     6.3 fat   384732 Bx stor 16-Sep-20 13:31 six_of_diamonds.png
1 file, 384732 bytes uncompressed, 384732 bytes compressed:  0.0%

Quand on unzip le dossier on obtient une image :