DEV Community

Cover image for No FA - PicoCTF Writeup: 2FA Bypass via Request Manipulation
Advik Kant
Advik Kant

Posted on

No FA - PicoCTF Writeup: 2FA Bypass via Request Manipulation

Walkthrough

The name of the challenge is No Fa, here’s the link: https://play.picoctf.org/practice/challenge/765?category=1&difficulty=2&page=1

Lets see the live instance

So we need some sort of login credentials to access the website

Lets see what we get in the linked files

here we have a sqlite users.db database dump containing USERNAME, USER EMAIL ID and HASHED PASSWORDS (these passwords seem to be unsalted meaning they can be easily cracked)

First I extracted all the usernames and hashed passwords cleanly

Some of these hashed passwords can be easily cracked via crackstation because they use commonly used passwords and are unsalted as I previously said. Let's pick one cred at random and test them in crackstation.

Bingo so we got the username and the password login creds
admin : apple@123
Now lets login with these creds, we are redirected to OTP verification

if we see the code properly given in the app.py file we will see that

the secret OTP is stored inside the session cookie and no server side validation is being done, so if we intercept the OTP request via burp and somehow manage to decode the session cookie we would be able to get the OTP and get access. Lets see how we do that

Since the application uses flask to create session cookies, we can use a tool like Flask unsign to decode the session cookie and get the OTP ( https://github.com/Paradoxis/Flask-Unsign)

flask-unsign --decode -c "YOUR_SESSION_COOKIE"
{'logged': 'false', 'otp_secret': '8369', 'otp_timestamp': 1774541649.0009327, 'username': 'admin'}

Now we have got the OTP as 8369 we will enter this OTP and get access to the page

and voila we have access to the page and there's our beautiful flag.

Conclusion

There were two core security vulnerabilities that were implemented in this flask application

  1. User passwords were stored as weak, unsalted hashes, making them trivially crackable via rainbow tables on sites like CrackStation
  2. The 2FA mechanism had no server-side validation. The OTP field was enforced only on the client side, meaning the server never actually verified whether a valid OTP was submitted

Top comments (0)