Post

vikeCTF - Robo Erik

Posted
By Nolliv22 2 min read

Description

Category: Misc

Uh oh! It looks like there’s a robot viking in our midst, what power does it have?

You’ll have to join the vikeCTF Discord for this challenge, I trust that you can find the link :)

RoboErik#9494

Attachments:

1. Overview

Quick walkthrough of the Discord bot source file (bot.py):

  1. we can use the bot only if we have a role named Organizer (from is_organizer);
  2. the only command is export which returns the last three messages of a given channel of the vikeCTF server.

From the previous we points, we can deduce that the flag is in a channel of the vikeCTF server and we need to use the command so the bot can print it.

Also, the channel which has flag is hidden to everyone except to the bot otherwise there is no point of getting the history of a channel with the bot whereas we can do it ourself.

At the end of the day, the goal is to find this secret channel.

2. Solution

How can we find channels that we have not access to?

In fact, we can see all channels of a server but they are not necessary displayed to us.

When we navigate to a server on the Discord client (the app), it will first send request to Discord API which will return everything about the server to the client. Then the client filter the response and display things (channels, messages, …) that the user has access to.

So the Discord client is just an interface to interact with the Discord API. We can of course interact by ourself by manually sending request to the API or with existing wrapper.

In our case, we will use discord.py-self which is a Python wrapper.

You will need a Discord account token (not a bot token !). And this Discord account should be in the vikeCTF server in order to get data from it.

We know that the goal is to read the flag from a secret channel with the bot (RoboErik). This implies that the bot has the permission to read the secret channel.

Knowing that, we can list all channels of the server that RoboErik can read:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23

import discord

class Client(discord.Client):
    def __init__(self, TOKEN):
        super().__init__()
        self.TOKEN = TOKEN
        self.run(self.TOKEN)

    async def on_ready(self):
        VIKECTF_GUILD_ID = 1065757344459411486
        g = self.get_guild(VIKECTF_GUILD_ID)
        
        # Get the RoboErik user
        RoboErik = g.get_member(1215472389677256754)
        
        # For all channels in the server
        for c in g.channels:
            # Only print channels that RoboErik can read
            if c.permissions_for(RoboErik).read_message_history:
                print(c.name, c.id, c.type)


bot = Client(YOUR_DISCORD_TOKEN)

We got those following channels:

1
2
3
4
5
6

Admin 1065763192518758513 category
welcomes 1065757344459411489 text
open-ticket 1065849106800595054 text
announcements 1065848648170209320 news
rules 1065763111010844774 text
robo-37 1215800581189533696 text

Admin is a category so nothing we can do about it. But robo-37 is more than suspicious, let’s use the bot to print its history:

Discord command: /export channel_id: 1215800581189533696

Flag

And we indeed got the flag: vikeCTF{17D1DN7100K1N53CUr3}

Writeups, vikeCTF 2024
Misc Discord
This post is licensed under CC BY 4.0 by the author.