nmap all ports to see port 4994 is open, just nc to it to get flag
Going back to port 324 (ftp)
the flag is in .../.../.flag
curling port 22 robots.txt gives you a string in base58, decode to get /clue3349203.txt, curl that to get a lot of jsfuck, decode that to get an employee id, and then use that on port 4994 to get the flag
if we scan port 324, we can see it is an ftp server, which allows anonymous login.
ls -a ing gives us a ... dir (wow thanks hq), and then cding into it and ls -a ing again gives us a .stayhidden file. reading this gives us another employee id, which we can use to login to port 4994 again.
nmap, see http port on port 22, curl it to get flag