2FA Broken Logic
Task
This lab’s two-factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos’s account page.
- Your credentials:
wiener:peter
- Victim’s username:
carlos
You also have access to the email server to receive your 2FA verification code.
Attempt
First log in as wiener:peter
. Pass the 2FA using the code you got via email.
The post request for a 2FA login uses Cookie: verify=wiener; session=BSHMC8VICpQ5EPuR4NuMvrNeauC6yaYV
. I simply changed wiener
to carlos
and sent a request. (Note that before doing this you also need to modify a get request to change wiener to carlos; this will generate a 2FA code for carlos.)
Of course the security code I used was wrong. So I went brute force that code. Since the code is only 4 letters, if there isn’t any rate limit I should be able to easily crack it.
Generate 4-digit numbers and copy it to the clipboard:
seq -w 0 9999 | xclip -selection clipboard
Don’t forget that -w
option as it prepends 0
to numbers.
Thoughts
Sometimes brute-forcing 2FA code even works for a major website. Take a look at this vulnerability in Instagram. Though they implemented rate limit, you could bypass it with ip rotation and abusing race condition.