Full Report
We have written a lot about SenseCon by now, but there is one more thing we can talk about! In this post I want to detail the Discord bot and associated challenges that we built. We were going to use Discord as our main communication channel and wanted a way to ensure that it was only accessible to Orange Cyberdefense hackers in an automated way. This was a good opportunity to look into writing a Discord bot. If you are looking for the source code, you can find it here.
Analysis Summary
# Tool/Technique: SenseCon Discord Bot
## Overview
A custom-developed Discord bot used by Orange Cyberdefense hackers for automated access control and interactive challenges during the SenseCon event. Its primary purpose was to ensure the Discord server was accessible only to authorized members and to facilitate fun, educational challenges related to security concepts.
## Technical Details
- Type: Tool (Custom Application/Bot)
- Platform: Discord (Python implementation using the Discord Python API)
- Capabilities: Automated user verification, role assignment based on interactions (challenges/country selection), file delivery, password hash submission tracking, and limited administrative functions (sending channel messages, role extraction).
- First Seen: November 2020 (Based on publication date)
## MITRE ATT&CK Mapping
The described functionality of the bot primarily relates to access control and interactive simulation rather than traditional offensive TTPs, but elements map as follows:
- **TA0001 - Initial Access**
- T1591 - Domain Request (Implied in verification process using company email domain for access)
- **TA0005 - Persistence**
- T1078.003 - Valid Accounts: Local Accounts (Role assignment acts as a form of persistence/authorization)
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File (The bot facilitates "downloading" challenge files, though the nature is not specified as malicious)
- **TA0007 - Discovery**
- T1087.001 - Account Discovery: Local Account (The bot uses user IDs and roles for tracking)
## Functionality
### Core Capabilities
* **User Verification:** Users had to send a direct message (DM) to the bot containing `!verify @orangecyberdefense.com`. The bot would then send an OTP via email, which the user had to reply with via DM to gain access.
* **Role Assignment (Geo-location):** Users assigned themselves a country role by reacting to a welcome message with their country's flag emoji (implemented via `on_raw_reaction_add`).
* **Challenge Tracking:** The bot awarded specific roles (e.g., `challenge:x`) upon completion of interactive security challenges.
* **Challenge File Delivery:** Users could request files related to a password cracking challenge by sending the command `!download ` in a DM.
* **Password Submission:** Users could submit cracked passwords by sending a text file attached to a DM containing the command `!submit `.
### Advanced Features
* **Challenge: Sneaky:** Triggered the `challenge:sneaky` role assignment when a user edited a message (`on_raw_message_edit`). This was later refined to exclude message edits that included Discord embeds (e.g., GIFs/YouTube links).
* **Challenge: Hacker (Verification Bypass Flaw):** Exploited a flawed regex logic in the verification process, allowing users to bypass the domain check by including a dummy `@orangecyberdefense.com` email address as the second email in the input (e.g., `!verify [email protected]@orangecyberdefense.com`).
* **Challenge: Hacker (OTP Flaw):** Exploited a potential logic flaw where an incorrect OTP submission would server-side change the expected OTP to '0', potentially allowing an attacker to guess the '0' if they failed initial attempts.
* **Challenge: Fuzzer:** Awarded the `challenge:fuzzer` role if a user reacted to the welcome message with the specific emoji `:computer:`. The bot immediately cleared this reaction afterward.
* **Anti-Cheating Logic:** Assigned a `lazy` role to users who uploaded files larger than 200,000 bytes during password submission, discouraging the use of large wordlists.
## Indicators of Compromise
* **File Hashes:** Not applicable (Custom tool source code is publically available via GitHub).
* **File Names:** Challenge files downloaded via `!download` command.
* **Registry Keys:** Not applicable.
* **Network Indicators:** No external malicious C2 infrastructure discovered; communication was limited to legitimate Discord API endpoints and standard email services for OTP delivery.
* **Behavioral Indicators:**
* Successful connection and interaction via the Discord API.
* Rapid role assignment following message edits, reactions, or DMs containing specific commands (`!verify`, `!download`, `!submit`).
* Observation of users inputting multiple email addresses in a single verification command.
* File uploads exceeding 200,000 bytes to the bot's DM channel.
## Associated Threat Actors
* Orange Cyberdefense personnel (Developers and intended users for SenseCon).
* Attendees/Participants of SenseCon (Exploiting the challenges).
## Detection Methods
* **Signature-based detection:** Applicable only to the potential content of challenge files if they were later weaponized, but not for the bot execution itself.
* **Behavioral detection:** Monitoring Discord audit logs and bot interactions for unexpected behavior, specifically:
* Bots programmatically editing messages or assigning roles based on reaction additions.
* Authentication attempts utilizing multiple email formats or the specific string structure flaws noted in the `challenge:hacker`.
* **YARA rules:** Not applicable.
## Mitigation Strategies
* **Prevention:** Rigorous security testing for custom automation software, especially involving input validation (regex, string parsing) and state management before deployment.
* **Hardening Recommendations:**
* Do not rely solely on string matching for complex pattern validation (e.g., email verification should use robust, dedicated libraries or more complex verification flows than simple regex extraction).
* Thoroughly test all event triggers (`on_raw_message_edit`, `on_raw_reaction_add`) for unintended side effects, such as media embeds triggering role assignment.
## Related Tools/Techniques
* Python libraries specifically for Discord bot development (Discord Python API).
* Techniques related to bypassing insecure input validation (related to `challenge:hacker` bypass).
* Fuzzing techniques applied against application interfaces (related to `challenge:fuzzer`).