Racecondition_Ctf ================= .. post:: Oct 11, 2025 :tags: hacking, CTF :category: writeups Pre attack writeup ================== The goal of this CTF is to perform a race contition. We are given 3 bank accounts and we need to get at least one of these to a balance of over $1000. We are given the credentials of all tree accounts and by logging in we can see they each have $100 in them by default. We also get the option to perform a transfer to the other two accounts. We can see the bank takes a small portion of each transfer but this should not matter in the long run if we perform the attack correctly. Tools ...... The tools I will use for this are simple, firefox for initial recon and burpsuite with the repeater and proxy module. Initial Recon ============= The first thing I look for is how the data is being sent I first will test the application itself without any kind of proxy, then retry it through a burpsuite or other reverse proxy to see how the data is sent. We see that the data is being sent over a POST request. Request Handling ================ If the data is POSTed we can then add these to a repeater group and attempt the first attack. In this CTF it will be POST requests and I need to exploit a race condition in order to get an account to a $1000 balance. Accounts ======== I will be using this account for the transfer: Username:4621 Password:blueapple and sending to Username: 6282 Password: whiteHorse Early Attempts ============== The first 2 options did not fully work, there was a slight increase in funds but when attempting the attack with a higher amount ($90) it did not work. I also managed to DoS the server on accident… oops Here we see our "sender" account ran out of funds before we were able to increase the funds. We see this in the result json field: false. Strategy Adjustment =================== I will have to restart the server to get the website back up to try the third group send option. At this point I am thinking the "single request" might be the most exploitable as I saw a small increase when sending race conditions with just $1, obviously that would not be enough to hit the $1000 goal but it could work if I try to send more. I will take another look at this after trying this last option. Final Execution =============== I attempted the first option again with a higher amount however it failed. I then tried to run the last option (last byte synced) and it worked. 50 synced requests got me up to $560 so all I needed to do was perfrom the same attack from the third account.