Recon with nmap

Nmap scan report for 10.129.68.235
Host is up (0.17s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rwxr-xr-x    1 0        0            2533 Apr 13  2021 backup.zip
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.13
|      Logged in as ftpuser
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp open  ssh     OpenSSH 8.0p1 Ubuntu 6ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c0:ee:58:07:75:34:b0:0b:91:65:b2:59:56:95:27:a4 (RSA)
|   256 ac:6e:81:18:89:22:d7:a7:41:7d:81:4f:1b:b8:b2:51 (ECDSA)
|_  256 42:5b:c3:21:df:ef:a2:0b:c9:5e:03:42:1d:69:d0:28 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: MegaCorp Login
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelN

use filezilla to login as anonymous user

sudo apt install filezilla -y

Try to use unzip to decompress the file we took from ftp

unzip backup.zip

but it need password, so we need to find tools to bruteforce it

Brute force zip file with john and zip2john

get zip file hash by zip2john

zip2john backup.gz > backup.zip.hash

use rockyou.txt

ls /usr/share/wordlist

ls /usr/share/wordlists/
total 51M
lrwxrwxrwx 1 root root  25 Nov 10 05:19 dirb -> /usr/share/dirb/wordlists
lrwxrwxrwx 1 root root  30 Nov 10 05:19 dirbuster -> /usr/share/dirbuster/wordlists
lrwxrwxrwx 1 root root  35 Nov 10 05:19 dnsmap.txt -> /usr/share/dnsmap/wordlist_TLAs.txt
lrwxrwxrwx 1 root root  41 Nov 10 05:19 fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
lrwxrwxrwx 1 root root  45 Nov 10 05:19 fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
lrwxrwxrwx 1 root root  46 Nov 10 05:19 metasploit -> /usr/share/metasploit-framework/data/wordlists
lrwxrwxrwx 1 root root  41 Nov 10 05:19 nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
-rw-r--r-- 1 root root 51M Oct 13 18:43 rockyou.txt.gz
lrwxrwxrwx 1 root root  25 Nov 10 05:19 wfuzz -> /usr/share/wfuzz/wordlist