Faster Shop WeCTF 2020 Write-ups

This is my first time to write-ups ctf challenges in English
Must say that I’m not good at English The grammar may be wrong , Please forgive me.

Introduction

I had the opportunity to participated in competition. Which was opened for everyone to participate (announced via ctftime.org) but I did not solve Faster Shop in time so I downloaded the source-code from https://github.com/shouc/wectf-2020

Run Challenges Locally

Landing Page

We try to login with the sql injection vulnerability with payload 1'or’1'=’1 and we get Faster shop Homapage and we get 20 bucks
Unfortunately, our bucks is not enough to buy “Fancy Flag”

Solution
We use burp to look at the request when we click to buy the item

We will see that there is no parameter sent, just requesting that item id and debiting the server through token checking.
  • We try to trade many times until we know that it is race condition
    For example, let’s say that two concurrent threads of execution are each trying to increase the value of a global variable by 1. So in the end, the global variable will have the value of 2. (The example is taken from the Wikipedia page: https://en.wikipedia.org/wiki/Race_condition)
  • So we use Burp Intruder and We will buy
    🥗 Alpaca Salad 20 bucks
    with the use of Burp Intruder for multiple orders.
Delete position of payload
set payload “Null payload”
set “Number of thread = 999” and check the box “Use denial-of-service mode” And Not check Make unmodified basline request Then “Start Attack”

Wowww !! We can buy 3 Alpaca Salad 20 bucks for 20 bucks and we sell 3 Alpaca we will get 60 bucks for free

Finally, we can buy 🚩 Fancy

Flag And the flag shows when you click sell again

Well, flag is we{00000000–0000–0000–0000–000000000000@demo-flag}

RPCA Cyber Club {ctf times}