A new playground appeared. DiceForge! Let’s give it a go!
I loaded up the page and was greeted with a dice selection and a tray at the bottom which would let me drag the dice into:
I draged 1d10 and 1d12 into the tray and hit “Roll”:
Results appeared showing a total of 18. Basically, the dice were being added up and calculated. I was thinking, maybe some kind of XSS? But I continued to look at the requests being made.
I deleted the word none, tried an empty rollOption. Nothing. No real difference. The response loaded up. I figured that this meant it expected and needed the word “none” otherwise it wouldn’t give us any output.
I added the unix id command separated by a semi-colon. In unix, the ; symbol in a command means “execute this command, then the next one”.
So my logic was: if it expects none, we can satisfy that, then afterwards, we can maybe run our own command and it may run anyway. Spoiler? It did:
From here, I ran a few commands before finding one that led to the flag:
Working command:
Thanks for following along!
