Want to run this Docker container locally?

docker run -d -p 9099:80 --restart always --name neg_eq joshbeck2024/ctf_negative_equity

Short Summary

Submit a negative balance. There is no check in the code.

Exploit:

• This server does not check whether the user tries to enter a negative balance as a transfer.
  • Instead of subtracting funds from the source, it will add funds instead.
• Create 2 accounts. I have one open in each tab as seen below
  • Tab 1 is the user beck
  • Tab 2 is the user beck2
• Submit a negative balance to get the flag