I'm far from being a guru but i think i have an idea of what you mean.
I think that if your ftp server is badly configured woth bad permissions you'll be able to go to the parent folder until you're in /
Then you can go in /etc and read passwd.
You take the encrypted root password and brute force it.
nb : on my distro (debian) and most of them now, passwords are stored into the /etc/shadow file which is only readable by root so you might not be able to gain root access like that
The other one is when you have to type program instead of ./program to execute your program called program
So i go into tmp, i create a script called ls.
When root comes into /tmp he naturally wants to ls the directory and he might going to execute you program instead of /bin/ls.
Your program that you called ls will be executed with the identity of root, so i assume it will have the root privileges then you can imagine that the system is yours
Ciao