Let’s start the lab. Log in with the credentials given with burp proxy on.
Remember to click forward to forward the request to the server. In your mailbox, you should receive an OTP for the user:wiener.
Let’s try logging in once with the OTP given.
You will be successfully redirected to your account.
Send the GET /login2 request to the repeater. This is the request that will generate an OTP for you. You can find this request under proxy/HTTP history.
Next change the verify parameter from wiener to carlos, and send out this request. An OTP should be generated for the user carlos.
Next, go to the login page again and enter your username and password, but this time you will enter an invalid 2FA code. (Remember to intercept this request, as we want to brute force the 2FA code)
Now let’s send this request to the intruder.
Select and add the code parameter: “1111” to attack it.
You will soon realise the community version of the intruder is too slow.
Let’s use turbo intruder to attack this parameter faster. The link I provided teaches you how to use the turbo intruder.
Highlight the parameter you want to attack and right-click it to send it to turbo intruder.
Before we can attack the code parameter, we need to create a text file that contains the number value of “0000” to “9999”. This is to bruteforce carlos’s 2FA code.
Here we can use crunch to create a text document containing all combinations of a 4 digit number using this command:
$crunch 4 4 0123456789 -o todelete.txt
You can learn how to use crunch here.
Here is what crunch command has generated. Pretty neat.
Here is the interface of the turbo intruder. Remember to use the link I gave to learn how to use it. You have to edit some of the python code for it to work.
Now let’s start the attack!
Very quickly I spotted the 302, now we can click halt and stop the attack.
Right-click the area inside of the Raw file and then send this response to the browser.
Paste the link in the browser (the burp proxy has to be on for this to work).
Next, click the forward till you see the response.
You should be able to see that you have successfully logged in.
Still having burp proxy on. Click the my account button on the webpage and click the forward button in the burp suite and finally, you will be redirected to the My Account page of carlos.
Congratulations, you have successfully solved this lab.
