Tags: discord forensics
Rating: 4.0
## Challenge Solution
If we unzip the file, we'll get 2 directories; `servers/` and `messages/`.
`servers/index.json` file contains all the servers that the admin is in.
```json
{
"1096132565473185943": "umatCTF",
"1413604022524504140": "nerd gang",
"2305958240504668178": "Another Day in the Office",
"2995880694897871716": "quid quid quid",
"3892684830668403085": "nightmarenightmarenightmare",
"3938017843030807365": "g a m e",
"5115895875925400861": ":pensive:",
"5637967242009544879": "Anime Lovers!!",
"6022673965195755026": "skewl is kewl",
"6742550644772811498": "Linux Supremacy!!!",
"6757217571278520277": "Gaming Gamers:tm:",
"7122463034215894721": "I Use Arch BTW",
"7199551760858494183": "Minecraft",
"7761814952870634272": "ctf addictz",
"7809235826282824337": "Harry potter fan club!!",
"8342281329734105691": "Cyber Gamers",
"9143121095442396776": "Vibin and Thrivin",
"9568074521608062202": "APTs R Us"
}
```
a discord-hosted ctf is mentioned in the challenge description. So we can assume that "umatCTF" is the server she should inspect.
```sh
cd messages
find . -type f -name channel.json -exec grep - H "umatCTF" {} \; 2 > /dev/null
```
We'll get this result:
```
c1096155190467498098/channel.json:{"id": "1096155190467498098", "type": 0, "name": "announcements", "guild": {"id": "1096132565473185943", "name": "umatCTF"}}
c1096174308394553364/channel.json:{"id": "1096174308394553364", "type": 0, "name": "error-log", "guild": {"id": "1096132565473185943", "name": "umatCTF"}}
c1096175436750389400/channel.json:{"id": "1096175436750389400", "type": 0, "name": "challenges", "guild": {"id": "1096132565473185943", "name": "umatCTF"}}
```
There are `challenges`, `error-log`, `announcements` channels and they are type: 0 (meaning they're text channels).
```
0: Text Channel
1: Direct Message(DM)
2: Voice Channel
3: Group Direct Message(DM)
4: Category Channel
5: News Channel
6: Store Channel
13: Stage Channel
```
Now we can read the messages:
```sh
cat c1096155190467498098/messages.csv
cat c1096174308394553364/messages.csv
cat c1096175436750389400/messages.csv
```
After reading the messages we'll find out that the admin accidentally attached png file `yep_cool_name.png` that displays the flag for the challenge `bad flag`. Also we got the attachmentID(it's different from messageID) [`1098484588457771049`]. We know the `challenges` channel's ID [`1096175436750389400`].
Cdn caches files for up to a week, so deleted files can still be accessed. The format is simple:
https://cdn.discordapp.com/attachments/<channel_ID>/<attachment_ID>/<filename>
Now we can get the image that displays the flag.
https://cdn.discordapp.com/attachments/1096175436750389400/1098484588457771049/yep_cool_name.png
flag: `gigem{d15c0rd_k3ep5_d3l37ed_f1l3s?!?!}`