Nmap Output:

 

 

ftp

 

 

After logging in to FTP anonymously, when we list the files with ls, no files appear.

 

BUT

 

When we list it with ls -la, we can see the '…' file. The importance of using -la…

 

 

There is a file named '-' in this folder. Let's read this.

 

We need to change the name

 

 

welllllllll

 

We can go to port 62337 and log in with john:password.

 

Title of the page: Codiad 2.8.4

 

A little search result on ExploitDB: https://www.exploit-db.com/exploits/49705

 

We read the usage and get the shell as follows.

 

 

We do not have permission to read user.txt in the Drac folder. But we can read .bash_history.

 

 

Drac's password:

 

 

 

We got our first flag.

 

sudo -l

 

 

What we need to do at this stage is this.

 

First of all, we edit the vsftpd.service file in the 'drac@ide:/etc/systemd/system/multi-user.target.wants' folder as follows.

 

 

Then we listen to the port and restart the service.

 

 

and we become root.

 

 

By the way, port 8989 did not work for me and I got the root shell from port 4545.