I loaded up the page and was greeted with a dice selection and a tray at the bottom which would let me drag the dice into:

I draged 1d10 and 1d12 into the tray and hit "Roll":

Results appeared showing a total of 18. Basically, the dice were being added up and calculated. I was thinking, maybe some kind of XSS? But I continued to look at the requests being made.

I deleted the word none, tried an empty rollOption. Nothing. No real difference. The response loaded up. I figured that this meant it expected and needed the word "none" otherwise it wouldn't give us any output.

I added the unix id command separated by a semi-colon. In unix, the ; symbol in a command means "execute this command, then the next one".

So my logic was: if it expects none, we can satisfy that, then afterwards, we can maybe run our own command and it may run anyway. Spoiler? It did:

From here, I ran a few commands before finding one that led to the flag:

Working command:

Thanks for following along!

🍺 Quick message to readers: if my writeups help you, please consider a small donation to my buymeacoffee link here. This is not required but is very much appreciated! 🍺