TryHackMe Race Conditions Walkthrough | Multi-Threading, TOCTOU & Exploitation Guide

calender-iconPublished: 7 Jan 2026

clock-icon5-min read

printer-icon whatsapp-icon share-icon



Table of Contents

Task 1: Introduction

I know all the prerequisites. Let the race begin!
Simply click check



Task 2: Multi-Threading

Q1. You downloaded an instruction booklet on how to make an origami crane. What would this instruction booklet resemble in computer terms?
A. Program

Q2. What is the name of the state where a process is waiting for an I/O event?
A2. Waiting

Explanation
Program

A program is just a file that contains instructions for the computer. It is not running yet.

๐Ÿ‘‰ Example: A game installed on your computer.

Process

A process is a program that is currently running.

๐Ÿ‘‰ Example: When you open the game and start playing, it becomes a process.

Thread

A thread is a small task inside a running program (process).

๐Ÿ‘‰ Example in a game:

  • One thread handles graphics
  • One thread handles sound
  • One thread handles user input
Process States
  1. New โ€“ The process is being created.
  2. Ready โ€“ Waiting for CPU.
  3. Running โ€“ Currently using the CPU.
  4. Waiting (Blocked) โ€“ Waiting for input, file, or network.
  5. Terminated โ€“ Execution finished.


Task 3: Race Conditions

Q1. Does the presented Python script guarantee which thread will reach 100% first?
A1. Nay

Q2. In the second execution of the Python script, what is the name of the thread that reached 100% first?
A2. thread-2

Explanation

A race condition happens when two or more processes/threads try to use or change the same data at the same time, and the final result depends on who finishes first (TOCTOU โ€“ Time Of Check To Time Of Use).

๐Ÿ‘‰ Example:

  • Account balance = โ‚น1000
  • Attacker sends 2 withdrawal requests of โ‚น1000 simultaneously
  • Both requests check balance before it updates
  • โ‚น2000 withdrawn instead of โ‚น1000


Task 4: Web Application Architecture

Q1. Original state diagram states?
A. 2 (Amount not sent, Amount sent)

Q2. Updated state diagram states?
A2. 3 (Amount not sent, Amount sent, Checking account balance and limits)

Q3. Final coupon validation diagram states?
A3. 5 (Coupon not applied, Coupon applied, Checking coupon validity, Checking coupon constraints, Recalculating total)



Task 5: Exploiting Race Conditions

Q. You need to get either of the accounts to get more than $100 of credit to get the flag. What is the flag that you obtained?
A. THM{PHONE-RACE}

Process
  • Open Burp Suite โ†’ Proxy โ†’ Open browser
  • Start with 07113371111 account and transfer 9$ to 07799991337. Now login to 07799991337 and make sure it has more than 10$. Transfer 5$ to 07113371111.
  • In Proxy tab of burpsuite under HTTP history, you will see this as POST request. Send this to repeater.
  • Click the + icon next to the Received Request tab and choose Create Tab Group. Give the group a name, add the request tab you just sent to the importer, and then click Create.
  • Right-click on the request tab and select Duplicate Tab. duplicate the tab 20 times.
  • Make sure 07799991337 now has 5$. Now click on send group in parallel.
  • Login to 07113371111 and you will get the flag


Task 6: Detection and Mitigation

Only click check



Task 7: Challenge Web App

Q. What flag did you obtain after getting an accountโ€™s balance above $1000?
A. THM{BANK-RED-FLAG}

  • Capture request of $100
  • Send to Repeater
  • Create group
  • Duplicate request 10 times
  • Send group in parallel