Home Buckeye CTF 2022 - quizbot - Writeup
Post
Cancel

Buckeye CTF 2022 - quizbot - Writeup

Posted Nov 11, 2022 Updated Nov 12, 2022
By fortis1
1 min read

challenge-description

Quizbot functionality

Let’s take a quick look at what quizbot does. When we join the channel, it welcomes us with the following message:

pic-2

So the first important thing quizbot can do is assign a role depending on what emoji you react with.

The second feature of quizbot is taking a quiz:

pic-3

As we can see, upon completing the quiz, the bot sends a message with our name in it.

Thank you, fortis1

That is super interesting - whenever an application returns your input in some way, it is worth looking more into.

Exploiting the bot

In the source code we find on_raw_reaction_add() function - it is called whenever we react on any of the bot’s messages.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

@client.event
async def on_raw_reaction_add(event):
    emoji = event.emoji
    user = client.get_user(event.user_id)
    member = guild.get_member(event.user_id)
    channel = client.get_channel(event.channel_id)
    message = await channel.fetch_message(event.message_id)

    if (
        message.author != client.user
        or user == client.user
    ):
        return

    lines = message.content.split("\n")[1:]
    for line in lines:
        try:
            line_reaction, role_name = line.strip().split(" ", 1)
        except ValueError:
            continue

        if str(emoji) == line_reaction:
            role = discord.utils.get(guild.roles, name=role_name)
            if member:
                await member.add_roles(role)

Basically, it splits the message that received a reaction by newline, ignores the first line, and then from every other line gets the first two strings: reaction and role. Taking welcoming message as an example, a line would be:

1

👶 Thoroughly research and solve the challengee

If the emoji a user reacted with matches the reaction that’s in the line, quizbot assign the corresponding role. Now, the function was clearly made for the purpose of welcoming message. But what would happen if we reacted on a quiz message?

pic-4

Well … nothing, really. The function is triggered but there are no lines with emojis to split and check. But if we could format the message properly, we could force quizbot to assign us any role we want - like admin.

pic-5

Yessir! After reacting to bot’s message with 🦉 emoji, we are given a new role:

pic-6

And we have access to a secret admin-only channel with the flag:

pic-7

ctf
buckeye2022 writeup web
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents