Again, you're conflating FTP users with local OS user accounts. If the FTP server service daemon is running and root and is allowed to execute commands, it could chown or chmod any directory on the box. It depends on the level of access the default FTP user that was exposed has in regard to the FTP software. There was a HackTheBox box a while back where exactly that happened - credentials were exposed for an FTP user that had access to an administrative console for an FTP service that was running as root. Through the console, the low-privileged user account was able to to execute commands as root via PHP, which lead to root on the box.
The Windows angle still stands as directly as I pointed out. NT Authority\SYSTEM doesn't care about NTFS file system rights. In fact, on a domain-joined box, it doesn't care about domain permissions either (if located on local disks for the compromised box). I've dumped entire user share directories from the root (example, users$ with a bunch of users under that) using this method before, and those had domain permissions set so that only the individual user had read/write (not full control) on the directories. Even DA and EA groups didn't have access. SYSTEM didn't care.
We don't know what OS this box was running, but depending on how it was misconfigured, getting access to contents of the whole box is entirely possible.
Again, you're conflating FTP users with local OS user accounts. If the FTP server service daemon is running and root and is allowed to execute commands, it could chown or chmod any directory on the box. It depends on the level of access the default FTP user that was exposed has in regard to the FTP software. There was a HackTheBox box a while back where exactly that happened - credentials were exposed for an FTP user that had access to an administrative console for an FTP service that was running as root. Through the console, the low-privileged user account was able to to execute commands as root via PHP, which lead to root on the box.
The Windows angle still stands as directly as I pointed out. NT Authority\SYSTEM doesn't care about NTFS file system rights. In fact, on a domain-joined box, it doesn't care about domain permissions either (if located on local disks for the compromised box). I've dumped entire user share directories from the root (example, users$ with a bunch of users under that) using this method before, and those had domain permissions set so that only the individual user had read/write (not full control) on the directories. Even DA and EA groups didn't have access. SYSTEM didn't care.
We don't know what OS this box was running, but depending on how it was misconfigured, getting access to contents of the whole box is entirely possible.