Everybody plays games, and a whole lot of people plays computer games. Despite this fact, very few of us, security researchers consider them as interesting targets. Granted, you won't likely be able to directly hack into a big corporate network via game exploits, but you could for example target the people running the company via their favorite games. Or their children's favorite games. Another scenario: you should consider that a hacked game could allow Not So Admirable people access to your internal network - which at first does not seem that big of a deal considering it's "just" a home network, but when you realize all your mobile phones, your TV set, your VOIP phones, your security cameras, and even your smart house sensors and controllers are part of that network, it looks much more scary. Games are also interesting from a technical standpoint too, since they tend to be quite complex. The majority of them have networking, and they process complex data structures (maps, saved games, etc.) which makes them ideal fuzzing targets. But this talk is not about those kind of exploits. Hackers tend to ignore the low hanging fruits in favor of beautiful exploits, but we really shouldn't - bad guys don't care about how sophisticated some exploit is, they only care about the results. This is why I have decided to take a look around and see what's already there in the games that allows access to the gamers' network. Thus this research about how game scripting engines can be abused started. I'll show in this talk that playing on custom game servers and playing community created maps could easily lead to code execution on our machines - more so, in most cases without the need to bypass the operating system's exploit mitigation techniques. My targets include popular games and game engines like CryEngine 3, Dota 2, Garry's Mod, ARMA3 and Digital Combat Simulator. I'll show a wide range of script abuse from a simple direct command execution in an unrestricted scripting environment through brute forcing a security camera via HTTP requests to complex script sandbox escapes.