We got a currency exchange system that we needed to exploit to “buy” the flag.

To get some initial money we used an unused session id and requested a page with

code=giveMeGold

in the URL which sets our initial funds for every currency to 30.

Then we exploited the issue using simple HEAD requests. We exchanged the amount of 30 (most we can have in the beginning) with something else a few times, e.g. RON to USD:

curl 'http://108.61.171.94/web100/currency.php?from=RON&to=USD&amount=30' -H "Cookie: PHPSESSID=${SID}" -X HEAD -H "Connection: close"

The currency.php sourcecode will fill our USD (after the exchange) but, thanks to HEAD, will stop before processing the substraction of RON. After a few requests we have enough USD to buy our flag ;-)

curl 'http://108.61.171.94/web100/store.php' -H "Cookie: PHPSESSID=${SID}" --data 'flag=USD'