So this machine is very easy so lets do our first scan and we found ftp and ssh open and the FTP has anonymous access allowed.

So lets go to

ftp <ip>

so now we will have access to the file system and we can gain access to the user flag already. now lets look around and in the file structure there is a weird directory called notread when we traverse in there we find a gpg and a asc file . The asc file is something we can import to crack into the gpg file and get whatever is in there to do it lets do

gpg --import private.asc

and it gives us a password prompt which we dont have so lets crack this using johntheripper and to crack gpg files we first need to crack the asc one using

gpg2john private.asc > crackme
john crackme

then we will get a whole shadow file with the root credentials in there which we can copy and paste in a file and then use john with a rockyou.txt wordlist to find our solution.

and gg cat out the root.txt