🧠 Info

This lab's two-factor authentication is vulnerable to brute-forcing.

You already have valid credentials, but not the 2FA verification code.

🎯 Goal

Brute-force the 2FA code and access Carlos's account page.

• 👤 Victim's Credentials: carlos:montoya

💡 Idea Behind the Lab

When logging in with Carlos’s credentials:

• You are prompted to enter a 2FA code
• If you enter a wrong code twice, you're kicked out of the login session
• The 2FA code changes every 30 seconds, and sessions may expire

➡️ So we need to brute-force the 2FA code efficiently while keeping the session active

✅ That’s where Burp Suite Macros come in!

🧪 Step-by-Step Guide

🔌 Step 1: Attempt Login and Simulate Failure

1. Open the lab website
2. Activate Burp Proxy