There are three challenges, all of them vulnerable to race conditions. You can try to exploit the race condition weaknesses with tools such as Raceocat.
RACE_WINDOW is 50 ms.
For this testing environment a artifically race window might be required because this application is created with a small sample data set. By increasing the RACE_WINDOW value you can simulate a slow webserver or a unperformant database and increase your chances. You can change or disable it by adding ?race_window=0 (in microseconds) as parameter.
You can withdraw only enough money so that your bank account is not in the negative. Your bank account can not overspend.
View bank account balance of accountID 1
View bank account balance of accountID 2
Action: Withdraw 500€ from accountID 1
You are only allowed to like a postingID once. Similar to a facebook post or a twitter feed.
View all the likes of postingID 1
Action: Like postingID 1 with userID 5
To slow down brute forcing attacks you are only allowed to login 5 times per 5 minutes.
View login log for [email protected]
Action: Try to login using 0022 as 2FA code
Action: Try to login using 0012 as 2FA code
PHP version: 8.3.17
MySql version: 10.6.18-MariaDB-0ubuntu0.22.04.1