Research Academy Daily Swig
My account Customers About Blog Careers Legal Contact Resellers

Burp Suite User Forum

Login to post

Authentication Multi factor lab - 2FA Broken Login

Samuel | Last updated: Jul 18, 2022 10:20PM UTC

Hi, I've been trying to solve this lab for a while without success. I'm not receiving the 302 Found message for verify=Carlos. Here is the POST message I'm using ------------------------------------------------------------------------------------- POST /login2 HTTP/1.1 Host: 0a6b002404e831dec03abe6e000a004a.web-security-academy.net Cookie: session=hrKvgAOC393YY32ELTnacDUCtR9NKErQ; verify=carlos User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 13 Origin: https://0a6b002404e831dec03abe6e000a004a.web-security-academy.net Dnt: 1 Referer: https://0a6b002404e831dec03abe6e000a004a.web-security-academy.net/login2 Upgrade-Insecure-Requests: 1 Te: trailers Connection: close mfa-code=1001 ------------------------------------------------------------------------------------- I'm dividing the brute force for mfacode in chunks of 100, but still all responses are 200 OK. Even trying low numbers, starting from 0000-0200, 1000-1200 and still doesn't work.

Ben, PortSwigger Agent | Last updated: Jul 19, 2022 05:31PM UTC

Hi Samuel, Just to clarify, you are referring to the lab entitled '2FA broken logic'? If so, having just run through this lab, it does appear to be working as expected. After following the steps within the solution, my Intruder attack does return a 302 response when the correct code is encountered. Are you using Burp Community when you attempt this lab (I assume this is the reason for splitting up the attack into smaller chunks in order to manage the throttling within Intruder in the Community edition)? If so, are you going through the full range of numbers starting from 0000 onwards when you split up the attack? The correct MFA code should be in the lower range of numbers but this still might mean that you need to cycle through a few thousand requests before you reach this.

You need to Log in to post a reply. Or register here, for free.