by 
2FA Broken Logic
Goal: The lab’s two factor authentication is vulnerable due to its flawed logic. To solve the lab, access Carlos’s acount page.
The following credentials were provided: wiener:peter
With this lab- I began by investigating the 2 Factor Authentication process. In the POST /login2 request the verify parameter is set by the username.
after reading flawed 2FA verification logic by PortSwigger- I noticed this lab was similar:
Sometimes flawed logic in two-factor authentication means that after a user has completed the initial login step, the website doesn’t adequately verify that the same user is completing the second step.
As a result. I noticed that the same /login2 request is sent for MFA and aligned this with PortSwigger’s notes:
This is extremely dangerous if the attacker is then able to brute-force the verification code as it would allow them to log in to arbitrary users’ accounts based entirely on their username
So as a result- I sent the /login2 request to repeater and changed the verify parameter username value to carlos and sent the request to generate a MFA code for Carlos.
I then logged into my wiener:peter account and when prompted for an MFA code I submitted an invalid code and sent the request to burpsuite.
From here, I was able to set the MFA code as a an $argument$ and bruteforce it using intruder accordingly after setting the erify parameter to carlos. I noticed when the 302 response popped up, I was able to go to the account page for carlos and solve the lab.
2FA Simple Bypass
Goal: You have obtained a valid username and password but you do not have access to the user’s 2FA Verification code. To solve this lab access Carlos’s account page.
(1) I first started off by successfully logging into the account provided.
As a result- it asked me to enter my 4 digit security code. I saw at the top there was an email client that gave me a security code and email address associated with it. I tried to use the security code with the account and observed that after successfully entering it in- you are redirected to the /my-account page.
As a result, I simply changed the header to /my-account when prompted for a mfa code and found it to be successful.
Brute-forcing a stay-logged-in cookie
Goal: Brute force a stay logged in cookie.
1.) My first step in this lab is to observe the log in process after selecting the stay-logged in checkbox.
I entered in my credentials (wiener:peter) to begin the lab. As a result, the request contained a stay-logged-in cookie
with an interesting encoding scheme. Using burpsuite, I decoded it and found the following:
wiener:51dc30ddc473d43a6011e9ebba6ca770
Due to the fact that my username is wiener, I deduced that the second parameter would be a password in some kind of format.
I put it in cyberchef md5 hash decoder and found that the password was indeed- peter.
Username Enumeration via Account Lock
Goal: This lab is vulnerable to username enumeration. It uses account locking but it contains a logic flaw so to solve this lab, enumerate a valid username and bruteforce the user’s password then access their account.
(1). My first step is to determine the behavior of the application. I took a username from the list with a password and intentionally entered it in so it would be incorrect.
For this, I then went with Cluster Bomb and set the payload 1 equal to my user list and payload 2 equal to a null string (generate 5 payloads) after setting the username position to all of the candidate usernames provided by PortSwigger and the password list.
You can also do as the second payload password=”pw”&count:
Numbers From 1-5
what it basically does is it checks username 3-4 attempts and if it is a valid username it will get locked.
(2) Evaluate the responses:
From the responses one can deduce that the correct username is arcsight because the response length is longer- and if you analyze the response- you will see that the account was locked out after too many incorrect login attempts.
(3) I then went to Sniper and set the password as the position and ran the list of passwords provided by PortSwigger.
The only one I found to be of different length than the others is shadow.
So I then attempted to login as arcsight:shadow and I was successful.
