# 2FA simple bypass

## Description

This lab's two-factor authentication can be bypassed. You have already obtained a valid username and password, but do not have access to the user's 2FA verification code. To solve the lab, access Carlos's account page.

* Your credentials: `wiener:peter`
* Victim's credentials `carlos:montoya`

## Solution

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FqJAroVsVHstMBnOSJUOw%2Fimage.png?alt=media&#x26;token=1ed5b936-3d94-4da7-ac34-efd24e0aed99" alt=""><figcaption></figcaption></figure>

Starting login as wiener user, after inserting username and password, the system asks us a 4-digit security code.

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FzqZu1MbfTAiGtKdEMQZt%2Fimage.png?alt=media&#x26;token=4b9153ca-45f2-423a-9c01-c512f23ca83f" alt=""><figcaption></figcaption></figure>

We can request the numeric secure code clicking on Email client button:

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FLtwcLWPHZvphEZ23Xcde%2Fimage.png?alt=media&#x26;token=affa064f-af07-48f0-a5e9-736101dfda84" alt=""><figcaption></figcaption></figure>

inserting it in the dedicated field, we log us correctly as 'wiener':

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FeuexNa3s9Hcopv3GcZ8u%2Fimage.png?alt=media&#x26;token=795468ba-3811-495c-b98c-99a023b84bee" alt=""><figcaption><p><a href="https://0a6b0064035e981b809621c7009f0018.web-security-academy.net/my-account?id=wiener">https://0a6b0064035e981b809621c7009f0018.web-security-academy.net/my-account?id=wiener</a></p></figcaption></figure>

Save the URL page: <https://0a6b0064035e981b809621c7009f0018.web-security-academy.net/my-account?id=wiener>

Checking request there's two login form:

'Login' page:

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2F9eKg51wgfuTtzwza2QLB%2Fimage.png?alt=media&#x26;token=afb38b4d-f385-4928-8b78-5c0940924d45" alt=""><figcaption></figcaption></figure>

and 'Login2' page, with GET method:

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FFts1RHIqj0oPZBNxIBXz%2Fimage.png?alt=media&#x26;token=35db7154-8f1a-4835-bf1f-0ebeafe898af" alt=""><figcaption></figcaption></figure>

and with POST method:

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FJGf3QlY4MRf7Lr5h4NU6%2Fimage.png?alt=media&#x26;token=bf54dddf-afd3-4c10-8f78-189a4d2d2144" alt=""><figcaption></figcaption></figure>

All clear, Logout from wiener's account and try to login into carlos's account (`carlos:montoya`):

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2Fz64aXRq0RnBgjKBHGcP8%2Fimage.png?alt=media&#x26;token=2219f512-aa76-49f7-9d7d-dc55df8a63f0" alt=""><figcaption></figcaption></figure>

clicking on "Email client" button we can't see dedicated code message.

Remember the URL relative to 'wiener' account, we can try to change it manually and jump/bypass the 2FA check, solving the lab:

<https://0a6b0064035e981b809621c7009f0018.web-security-academy.net/my-account?id=carlos>

<figure><img src="https://677614291-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FrRWtuMw6xkkeDjZfkcWC%2Fuploads%2FOkAxziW4J1Ans6SyANQe%2Fimage.png?alt=media&#x26;token=19023c96-1656-4ca0-9367-b157b639f7f5" alt=""><figcaption></figcaption></figure>