Challenge Description

Danish (Original)

Vi har lavet en super sej discord server til alle DDC Admins. For at gøre det let at tilføje nye admin har jeg lavet en bot! Her er et link til serveren. I får også sourcekoden så I kan se hvordan den virker.

English (Chatgpt)

We have created a super cool Discord server for all DDC Admins. To make it easy to add new admins, I have made a bot! Here is a link to the server. You’ll also get the source code so you can see how it works.

File

We are also given the source code for the bot:

Solution

The bot is a pretty simple verification bot, use the command !verifyme and wait for a moderator to react to a message in the hidden verification channel with ✅. But the moderator is not going to do that, so lets do it ourselves.

The flaw in code is in the check function that checks if the reaction that we are waiting for is the correct one (as seen on line 67 - 73, and waiting for on line 77)

Line 67 - 73:

def check(reaction, reactor):
  return (
    str(reaction.emoji) == "✅"
    and reaction.message.content == msg
    and reaction.message.channel.name == VERIFICATION_CHANNEL_NAME
    and any([r.name == MODERATOR_ROLE_NAME for r in reactor.roles])
  )

line 77:

reaction, moderator = await bot.wait_for('reaction_add', check=check)

The flaw here is that the reaction_add event that the bot is waiting for is not bound to the scope of the guild that we used the command in and all of the checks is based on the names and content of channels, roles and messages instead of unique references (snowflake ids) to these.

This means that if we can add the bot to our own server, where we have a role called moderator, a channel called verification with the exact message, and we then react with ✅, the bot will see it and pass all the checks.

So create a server, add the moderator role, and the verification channel.

The message takes a bit of work since we need to mention a role from another server. But by knowning the underlying syntax of mentions, this becomes easy:

  • @user = <@user-id>
  • @role = <@&role-id>
  • #channel = <#channel-id>

So the message would be (1293636473291014184 is the role id of moderator from the server): <@your-user-id> has requested verification. Moderators with <@&1293636473291014184>, please verify.

And in discord:

And to add the bot to our server we need to make the correct OAuth2 URL (the add app button on the bot only adds it with the default scope which is not bot). We get the default url by right-clicking the add app button on the bot: https://discord.com/oauth2/authorize?client_id=1293624223008559165.

We need to add some more parameters.

  • The permissions parameter controls its permissions, I have set it to 8 here for administrator which means all permissions.
  • The scope parameter controls the scope of application, we set it to bot here.

So the new URL is: https://discord.com/oauth2/authorize?client_id=1293624223008559165&permissions=8&scope=bot. Pasting this into a browser allows us to add the bot to our server.

Now just use the !verifyme command in the challenge server and react to your verification message in your own server. You should now have the member role and be able to see the challenge-writeups channel to get the flag:

And the flag is DDC{d1sc0rd_b0t5_4r3_h4rd}.