https://tryhackme.com/room/race-conditions-aoc2025-d7f0g3h6j9
Created by: tryhackme, 1337rce
This room looks like it’ll be fun, and we get to use one of my favorite tools: BurpSuite! THM covers how to set up the FoxyProxy through Firefox and the BurpSuite software. Also, the best way to make sure your FoxyProxy is going, since THM did not highlight this, once it’s configured correctly, it should look like:
Per THM’s Echo: “Burp Suite is a popular web application security testing tool used for performing security assessments and vulnerability scanning of web applications. It acts as a proxy server, allowing users to intercept and modify HTTP requests between their browser and the web application. Burp Suite includes various tools such as a scanner, intruder, repeater, and decoder, making it suitable for tasks like testing for vulnerabilities, analyzing traffic, and exploiting weaknesses in web applications.”
Once we have BurpSuite configured correctly we are to navigate to the web app.
We follow through with checking out an order and head back to BurpSuite to perform the Repeater ability.
Once in the Repeater tab, THM has us customize our tab and do something I’ve not done before: duplicate the created tab. It seems like a lot, but if you follow along the instructions, you are good to go!
After we send our requests to the server, return to the website and refresh to obtain our first flag.
Now we need to repeat the steps for the Bunny Plush!
Once your Confirm & Pay and go back to the BurpSuite Proxy, you can have the new process_checkout we are looking for to filter to the top so need to scroll looking for it since it’s the most recent action.
When I got into the Repeater tab, to avoid confusion, I removed the previous tabs since those were not longer needed. There is an option to Right click > Remove all tabs. I then created a new tab called New_Purchase and followed the previous steps to make duplicate tabs.
After you send the request to the web server, return to the web app page and refresh to obtain the second and final flag. I enjoyed that we were tasked with obtaining the second flag on our own to build our Burp Suite skills.
“Feel free to check out the Race Conditions room if you enjoyed this task.”