Fooling the Bot

We start by going to #bot-commands. We try to run the command after a help but we don’t have a role called “FlagMaster”.

Guess we need to dive into a bit more on how discord bots work. In this writeup I’ll just briefly outline how you tell discord you want to make a bot but not actually go over any coding. If you’d like to follow along, please navigate a browser tab to the discord developers page and create a new application with a name of your choice.

Applications are not nesscarily bots. For example some sites like discord bot lists and the ImaginaryCTF bot platform use them for verifying a user’s discord account which makes things like log in with discord possible. Discord offers a specific section as you see in the screenshot above. Let’s take a look (note: you may need to create a bot for the application if you haven’t done so yet).

Intresting toggle switch if I may say. Also, these are the default toggles since I showed the configuration for a real bot above.

Wait, so by default bots are “public” so anyone can invite them. Intresting, so can we try to invite FlagBot to our own server. It turns out we can. But we don’t have an invite button (probaly because it isn’t verified) nor do we have a link.

Well, if we can’t find an invite link, let’s try to make an invite link. I’ll start by taking the invite link of a popular bot and analyzing it. For our example I’m using the Fish anti-phishing bot. We get

https://discord.com/oauth2/authorize?client_id=892420397570592768&scope=bot applications.commands&permissions=268446726

Let’s dissect the url parameters (part after ?).

• client_id: A snowflake. See below for what a snowflake is

Sourced from Discord Developer Docs

• scope: a space seperated field. In this case we want to add a bot to the server hence bot. We also need to add a seperate applications.commands for discord slash commands however it is not relevant to this challenge.

• permissions: A number where each bit corresponds to a different permission on discord. This is quite a compact way to specify permissions! See picture below.

We’ll most likely be wanting to change the client id snowflake in this case so we invite the flagbot instead of Fish. Almost everything on discord has a snowflake id: servers (which are also called guilds), channels, messages, users, and more!

We conjecture that the client id is the same as bot user id. We can turn on developer mode to check.

Indeed we get the number 892420397570592768. Now let’s head over to the ImaginaryCTF discord and get the id of the bot and swap it in. We’ll give the bot admin cause why not I don’t care about my emotes server.

https://discord.com/oauth2/authorize?client_id=983857874335842334&scope=bot applications.commands&permissions=8

Now let’s make our own FlagMaster role and run the command.

Now for the moment of truth.

There we have it. Now that we’re done let’s think about why we have snowflakes. For apps like discord to function we need to be able to reference various structures in a way that will always work. The names of a structure won’t work because those can be changed. Similarly discord usernames with a discriminator won’t work because you can change your username and with nitro you can try to change the discriminator as well. So we reference things by their snowflake which will never change unless discord bugs out.

Intresting things

• Snowstamp - A tool the allows you to derive the date and time of when something was created if it has a snowflake property.