Category: Misc
Ech0 an administrator of Root-Me created a Discord Bot to remember the password of his account. It allows him to remember his complex password anywhere. He tells you that this bot is secure because only him can ask for the password
This challenge can be solved with the bot on the Root-Me server : Cheshire#3457. It will only answer you in the #ctf-bot channel, but it will not give you any flags.
Author : Nishacid#1337
Let's start chatting with the bot in order to understand how it's work. First when we open the bot profile, we can find in the about section the description of the bot We Are All Mad Here !help so let send !help first.
Avalaible commands:
!help : Display this menu
!password : A password for my master
!talk : One of my favorite expressionsInteresting... let send now !password
The response we got is: "I don't like to talk in DM, invite me for a cup of tea", and when we send !talk it's responding by some deep philosophical quote, like "We're all mad here. I'm mad. You're mad." 😅
What caught my attention was "invite me for a cup of tea" If we create our own Discord server and invite the bot, it will consider us like an admin beacause it's what we are in our own server :p
We assume that we already have created our server.
- Get the ID of the bot... here it is:
971520199515836456
-
Generate invitation link. We need to replace the value of client_id by the ID of the bot
https://discord.com/oauth2/authorize?client_id=__BOT_ID__&permissions=8&scope=botOr we could generate it from https://discordapi.com/permissions.html -
Invite Cheshire Cat Bot to our Discord server that we previously created.
-
Once the Bot is active in our server, we could ask it again for the password by sending `!password. And... Here it is 😃 🚩
🚩 Hello master, here's your password: "RM{d0n't_l3t_y0uR_b0Ts_pUbl1c}" 🤪