Tags: misc discord 

Rating: 4.0

Fun fact - this was a real vulnerability in ez.ctf.cafe that let me view the challenges and submit flags through the bot before the challenge had started.

To do this, you need to enable developer mode in your user settings to get Cafe Bot's ID. Then, right click its profile for the ID `971520199515836456`.

Now, we take a random bot's invite link from top.gg, like Mudae's: https://discord.com/oauth2/authorize?client_id=432610292342587392&permissions=537159744&scope=applications.commands%20bot, and change the ID to @Cafe Bot's ID.

I'll also change `applications.commands%20bot` to `bot`, meaning we're no longer requesting slash command permissions, but still adding it as a bot, and changing `permissions= . . . ` to `permissions=8` to give the bot full administrator permissions.

Now we have our invite: https://discord.com/oauth2/authorize?client_id=971520199515836456&permissions=8&scope=bot

Now, add this bot to any server where you have administrator permissions, and run `?flag` in that server. It should give you the flag!

I didn't use it at the time, but another member of the EZ-CTF Discord server suggested using https://discordapi.com/permissions.html to create the invite, and I'd agree that it's much more efficient.

If you're making a bot and want to prevent this, disable the "Public Bot" option in your app's config on https://discord.com/developers. This will make sure that only you can add the bot to a server.

Original writeup (https://pipuninstallpip.github.io/writeups/ez-bot-workaround).