On this page
apsyleg1 min read
#portswigger #authentication #web-security

2FA Simple Bypass

Lab

2FA simple bypass · Apprentice

Solution

Given

This lab's two-factor authentication can be bypassed. You have already obtained a valid username and password, but do not have access to the user's 2FA verification code. To solve the lab, access Carlos's account page.

Your credentials: wiener:peter
Victim's credentials: carlos:montoya

Analyzing the task

We have a site with a vulnerable 2FA. We've been given creds, we need to bypass 2FA. Judging by the title — the protection bypasses easily, and we'll be able to skip the verification step.

Recon

We go in and log in as wiener / peter. We land on the /login2 page. We're asked to enter a code from email. We enter it. Then a redirect to:

https://0ae4007204d3adac80a45d900033006c.web-security-academy.net/my-account?id=wiener

Let's try to skip this check for carlos by replacing the user id. After logging in, we don't try to enter the code and instead go straight to:

https://0ae4007204d3adac80a45d900033006c.web-security-academy.net/my-account?id=carlos

Lab solved.

More in this category

Web Shell Upload via Extension Blacklist Bypass (PortSwigger Lab)

.php is blacklisted, but .htaccess uploads without complaint — we slip our own Apache config in and make the server execute shell.bug as PHP.

Web Shell Upload via Obfuscated File Extension (PortSwigger Lab)

Extension blacklist rejects .php and a double-extension shell.php.jpg is served as an image — a null byte in shell.php%00.jpg bypasses both checks.

Remote Code Execution via Web Shell Upload (PortSwigger Lab)

Avatar upload has no validation — drop a PHP web shell and read /home/carlos/secret.