Home Botgov 1,2 & 3
Post
Cancel

Botgov 1,2 & 3

Intro

Botgov is a discord bot on the CCSC server where the idea was to beat him in a game of chess by sending commands the other two challenges were more web based.


Botgov I

Description

Botgov is waiting for you on Discord. Can you beat him?


Going to the discord bot and sending a message we get the following response

Lets have a look at the help menu

For the first challenge we only need the !chess [algebraic chess notation] command. We can send chess moves like so: !chess e4

And then botgov will reply and wait for our next move

Since i can not play chess, not even to save my life, i thought i can just play an online game as black with a strong chess engine like stockfish and just clone the engines moves.

I tried a couple of sites but the one that worked best for me was lichess

Click on play with computer and set the highest difficulty and choose black

Here we can see the site played d4 so i also cloned this move, next botgov played Nf6 and just like before i cloned this move to the site and kept playing

After winning the game we get the flag

flag: CCSC{w0w_th4t_Wa5_a_200IQ_M0V3}


Botgov II

Description

Botgov is waiting for you on Discord. This time he is super-powered. Find another way to beat him.


This time the description is telling us that botgov is super powered, so im guessing this is more of a web challenge than playing chess. Lets have a look at the help menu again

Here we can use the command !chess botgov-ii to start the second challenge, and like before we can use !chess botgov-ii [algebraic chess notation] to send our moves.

Lets have a look.

This time we get a link, by visiting the link we find:

Wow, looks like botgov truly is overpowered, so im guessing we can not actually play and win. We can send him moves but that will not be the solution to this challenge. We also notice the resign button on the web page, whys there a resign button on the web page though, since we can just use the !chess resign button from the help page?

Taking a closer look at the resign button we see it makes a GET request to http://<link>/resign

Meaning we can resign just by visiting https://botgov.cybermouflons.com/botgov-ii/f3432bb5-b7bb-4fc2-92e8-819cc2386759/resign

Taking a closer look at the help menu we also see another option that could come in handy

!chess cybersec [input]

This command only accepts urls from the cybermouflons.com domain. So we can not perform any RCE vulnerabilities since we do not control the site it is visiting.

But we can make Botgov-ii resign by forcing him to issue a GET request to /resign, like so:

!chess cybersec https://botgov.cybermouflons.com/botgov-ii/f3432bb5-b7bb-4fc2-92e8-819cc2386759/resign

After issuing this command we get the second flag

flag: CCSC{s0_sneAky_h0w_did_y0u_d0_THAT}


Botgov III

Description

Botgov is waiting for you on Discord. Again, he’s super-powered and knows about your last trick. Can you beat him again


Just like before we issue a !chess botgov-iii command and receive a link to the web page.

Okay now botgov isnt joking, he will always win in one move. From the description the author mentions that botgov knows about our last trick, lets try and find the fix by viewing the resign button source code again.

Okay now the resign path need to be a POST request, meaning we can not use the same method as before since the command cybersec performs a GET request.

We notice a html comment in the source code that states the html is weak.

To recap, we need to make botgov resign, we can not use the same method as before.

One thing that i noticed on the web page was my discord name, i tried to change my nickname and see if it changes in the game also, if it does i could try XSS and make botgov hit the resign button.

I changed my nickname

Got a fresh game link from botgov with !chess botgov-iii

Perfect, next i changed my nickname to <script>alert(1)</script>

And indeed i got XSS, now all i needed to do is create a payload that hits the resign function: <body onload="resign()">

By visiting the link with my new nickname i automatically resigned, meaning the payload worked, now we can just send the same link to botgov with the cybersec command.

flag: CCSC{sp3ct4cular_P3rf0rmanc3_WELL_deserv3d}

NOTE: Because i didnt want the ruin the solution to others that were in the discord server i created another user (TasosK) and went offline so the name would be a bit more discrete

Big well done to koks the author of the challenge! Amazing chall! <3

This post is licensed under CC BY 4.0 by the author.