PortSwigger - Authentication - Lab 2

Posted Jun 3, 2024 Updated Oct 26, 2024

By Jaco Zwarts 1 min read

Lab 2 - Authentication - 2FA bypass

Lab Objective:

This lab’s two-factor authentication can be bypassed. You have already obtained a valid username and password, but do not have access to the user’s 2FA verification code. To solve the lab, access Carlos’s account page.
The lab has an account with a predictable username and password, which can be found in the following wordlists:

Your credentials: wiener:peter
Victim's credentials carlos:montoya

Reference:
Port Swigger - Lab 2

Solution

1. Log in to your own account. Your 2FA verification code will be sent to you by email. Click the `Email client` button to access your emails.

2. Go to your account page and make a note of the URL.

3. Log out of your account.

4. Log in using the victim’s credentials

5. When prompted for the verification code, manually change the URL to navigate to `/my-account`. The lab is solved when the page loads.

PortSwigger

authentication bscp

This post is licensed under CC BY 4.0 by the author.

Lab 2 - Authentication - 2FA bypass

Solution

1. Log in to your own account. Your 2FA verification code will be sent to you by email. Click the Email client button to access your emails.

2. Go to your account page and make a note of the URL.

3. Log out of your account.

4. Log in using the victim’s credentials

5. When prompted for the verification code, manually change the URL to navigate to /my-account. The lab is solved when the page loads.

Trending Tags

1. Log in to your own account. Your 2FA verification code will be sent to you by email. Click the `Email client` button to access your emails.

5. When prompted for the verification code, manually change the URL to navigate to `/my-account`. The lab is solved when the page loads.