Straightforward
We landed on a clean little game portal hosted at:
And it sweetly encouraged us to Create Account. So, we did what any good player does, we made an account and got redirected to a dashboard showing our current balance ($1000) with options to:
· Collect Daily Bonus
· Redeem Secret Reward ($3000)
· Logout
Very chill. Until we saw the flag price.
We assumed there might be something juicy with Burp Suite, so we intercepted a few requests.
When we clicked on the "Redeem" button, the server told us we didn't have enough funds.
Then we checked /dashboard?username=black and noticed something weird: the server just renders whatever username you throw in the URL. But even with Burp Repeater, the balance didn’t show up clearly in the response, which was a little annoying.
So, we try to analyse the source code (app.py).
Here’s the important part of the vulnerability from app.py:
Looks safe? Not quite. Here's the catch:
· It checks the redemptions table for whether you've claimed your bonus before.
· But… this isn't atomic (aka not thread-safe).
· Between the check and the insert/update, there's a tiny window, a “race condition” gap.
So, if you spam /claim fast enough, some of those requests will slip past before the claimed flag is set.
We opened the browser console and dropped this spicy one-liner:
The browser starts hammering the /claim endpoint like it's trying to speedrun a daily login streak.
Then we added:
And boom magic. Except… it didn’t work right away huhuhu.
After triggering the script, balance didn’t change, until we realized:
The app caches session stuff, and the page doesn’t reflect backend updates until after relogging.
So, we logged out, created a fresh account, and repeated the attack.
This time, the balance jumped straight to $6000, well over the $3000 reward threshold.
We confidently clicked “Redeem Secret Reward ($3000)” and were redirected to:
/buy_flag
Flag: UMCS{th3_s0lut10n_1s_pr3tty_str41ghtf0rw4rd_too!}
Last updated