Research Academy
My account Customers About Blog Careers Legal Contact Resellers
The Burp Suite User Forum was discontinued on the 1st November 2024.

Burp Suite User Forum

For support requests, go to the Support Center. To discuss with other Burp users, head to our Discord page.

SUPPORT CENTER DISCORD

2FA broken logic - lab solution using community edition

hellohi | Last updated: Aug 12, 2024 09:09AM UTC

Hello, I am stuck on the lab using the community edition burpsuite software. I understand that we can separate the character sets to brute force the MFA code since the attacks are time throttled on the community edition, but how would this look like? I feel like manually I would have to type out almost 100 combinations alone to split the attack into multiple attacks since doing 10,000 possibilities on the community edition is not feasible as the lab will expire. Any assistance would be welcome please.

Ben, PortSwigger Agent | Last updated: Aug 12, 2024 05:03PM UTC

Hi, The MFA code should always be in the lower range of numbers for this particular lab so, although possibly being slightly painful having to use the throttled version of Intruder and leave this running for a period of time, this lab should be solvable using the written solution without having to split the attack into smaller subsets. Have you attempted the lab using the written solution?

hellohi | Last updated: Aug 12, 2024 07:03PM UTC

Thank you for your response. I have attempted the lab using the written solution, it's just that at 10,000 possibilities I feel like the attack will be running for many hours as I remember a previous exercise ran for over 1 hour before I searched and found I could split the attack into smaller subsets. My only concern is that the lab will expire by the time the attack is finished but I will try the lab again. Thanks again.

hellohi | Last updated: Aug 12, 2024 08:52PM UTC

The attack expired I am afraid so I cannot complete the lab.

Ben, PortSwigger Agent | Last updated: Aug 13, 2024 12:43PM UTC

Hi, I think trying to solve this lab in Community is really down to luck of the draw somewhat - I did test this last night and was able to solve the lab fairly quickly (by virtue of receiving an MFA code at the very low end of the number range). Other times I have had to leave the attack running for a period of time whilst manually refreshing the home page in the browser to ensure the lab does not prematurely expire.

hellohi | Last updated: Aug 13, 2024 06:56PM UTC