# 2FA broken logic

## Lab Description

<figure><img src="/files/bvTMOhPlPtzQgDJafC1x" alt=""><figcaption></figcaption></figure>

## Walkthrough

### &#x20;Step 1: Initial Observations

* After logging in with the provided credentials `wiener:peter`, we are prompted for a 4-digit **OTP** (One-Time Password).
* The 4-digit code is delivered to the email server, which we have access to.

<figure><img src="/files/TsAzV2DyZYcMpuCS684q" alt=""><figcaption></figcaption></figure>

Visiting the email client provided we find that it's a 4 digit code

<figure><img src="/files/flgasBXm8ou0Msxg31ea" alt=""><figcaption></figcaption></figure>

### **Step 2: Understanding the Logic Flaw**

* When analyzing the **GET request**, it includes a `verify` parameter containing the username.
* By changing the value of the `verify` parameter to `carlos`, the server generates a verification code **for Carlos’s email**.

<figure><img src="/files/rtPRnRtGyUTTz4WftyTl" alt=""><figcaption></figcaption></figure>

### **Step 3: Brute Forcing the OTP**

1. **Generating Carlos's OTP:**
   * Modify the `verify` parameter to `carlos` and send the request. This generates the OTP for Carlos and sends it to his email.

<figure><img src="/files/EQ44Orbp7DNkzTzpnTn1" alt=""><figcaption></figcaption></figure>

**Sending the POST Request to Burp Intruder:**

* Highlight the `mfa-code` parameter in the request.
* Use Burp Suite's **Intruder** tool to brute force all possible 4-digit OTP combinations (0000–9999).

<figure><img src="/files/6gONqa4gPF71ZW0hLiGo" alt=""><figcaption></figcaption></figure>

**Filtering Successful Responses:**

* After running the brute-force attack, filter the responses based on **status code 302**, which indicates a successful login.

<figure><img src="/files/UUkNrPt2L5z7eXRC6A1i" alt=""><figcaption></figcaption></figure>

**Step 4: Accessing Carlos’s Account**

* Use the successful OTP code and update the `mfa-code` parameter.
* Since we don’t have Carlos’s password, we use **Burp Suite** to send the successful request to the browser session:
  * Right-click the request > *Request in Browser > In Original Session*.

<figure><img src="/files/DKJMcSTkbFl1C0b90zur" alt=""><figcaption></figcaption></figure>

Carlos’s account page is successfully accessed despite the 2FA mechanism.

<figure><img src="/files/KjjhhrnX6OsNbrGFChAy" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://kruknight.gitbook.io/daemon-of-hacking/writeups/portswigger-labs/authentication/2fa-broken-logic.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.