Name: Two Factor Authentication
Description: Solve the 2FA challenge for user “wurstbrot”. (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)
Difficulty: 5 star
Category: Broken Authentication
Expanded Description: https://pwning.owasp-juice.shop/part2/broken-authentication.html
Google Authenticator Android app
No outside resources, but things learned in plenty of previous challenges.
To start this challenge out, I decided to follow the suggestion in the expanded description to learn how the 2FA mechanism works normally. I began by signing Amy up for 2FA using my phone’s Google Authenticator application. By copying the QR code and entering the six-digit time-bound code supplied by the Authenticator application into the 2FA Configuration form, I successfully linked my phone to her account.
I then logged out and back in as Amy to be certain that the activation had worked. Immediately after the email/password form, this 2FA form popped up, and I was able to log in using the time-bound code supplied by my Authenticator application.
After doing that, I logged in under the Admin account and visited the Admin section, then used Firefox’s Developer Tool’s Network tab to check if any data fields for Amy’s account had been updated when I activated 2FA.
Sure enough, the “totpSecret” field now had a string of upper-case characters and numbers where none had been previously (I double checked the database contents I’d pulled during the User Credential and Database Schema challenges to ensure that field had been empty previously).
Knowing that this field was important to the challenge, and that the expanded description included a bullet point which explained that understanding time-based one-time passwords (TOTP) would be important, I checked the user data for Wurstbrot’s account.
The totpSecret field was populated with a much longer secret code than Amy’s account had involved, but that was no bother, since I knew that manually entering a TOTP into the Authenticator application would effectively skip the QR code step. I entered the code into my phone and logged in as Wurstbrot using the same SQL injection trick I’d used in the Login Bender challenge.
As I’d already linked my phone to this account, I simply entered the Authenticator code and successfully bypassed Wurstbrot’s 2FA!
Prevention and Mitigation Strategies:
Also, encrypt any TOTP key before storing it in a database. Had that key required brute force to crack, even if I’d known which encryption algorithm was used, this would have been borderline impossible within my lifetime.
Lessons Learned and Things Worth Mentioning:
This is the first time I’ve ever thought to myself “I’m becoming a hacker!”. Having drawn information and/or techniques from at least six previous challenges, along with a workable understanding of how multi-factor authentication via phone application works, and then essentially weaponizing all of that disparate knowledge to complete this challenge was pretty satisfying.