The challenge asks us to bypass the given sites authentication method. As soon as we land on the home page we see a sales dashboard link. Navigating to this link leads us to the login/register page for the site
If we select register, we are prompted to input a username and are provided with a PIN and a OTP Code shown below.
According to this dashboard we can use an authenticator app, such as Duo Mobile, to scan the QR code and add a 6 digit code that changes every 30 seconds. Essentially this site is using a 2 factor authentication method and boiling it down to just one form of authentication by removing the need for a password.
Generating OTP
Our OTP Code is “GAYDAMBQGA2DIOJT” and our PIN is 4493. We are told this is base32, so decoding it online results in our PIN that was given earlier padded by 6 0's.
Using the python library “pyotp” we can verify that using this pin in the same format as a 10 digit code in base32 should gets us the correct TOPT.
import pyotp
import base64
from datetime import datetime
otp = pyotp.TOTP(base64.b32encode("4493".zfill(10).encode())).now()
print("Your OTP at " + datetime.now().strftime("%H:%M") + " is: " + otp)
This script proves that the TOTP we generated matches the one generated at the same time using the authenticator app below.
Bypassing Lockout: Change IP’s
Now that we can generate these OTP we can attempt to generate the OTP for the admin account. Unfortunately we run into a snag here. After a 10 failed attempts it looks like the site will block you from making anymore login attempts for 5 minutes.
This will make brute forcing the admins seed a bit problematic. We have two options to bypass this. It looks like the site is checking the “X-Forwarded-For” header in the request and using that to block the ip from making more requests for 5 minutes. We could write a script to increment the ip for each seed increment we are brute forcing.
Using the script above, we managed to get the right pin and get the current OTP to login as admin.
Logging into the dashboard as admin with the OTP before it expires takes us right to the admin page and reveals the flag, USCG{5p0rk_l0v3rs_un1t3}.
Bypassing Lockout: Reset lockout
Another method that would work is logging in as our registered user prior to reaching 10 failed attempts. This appears to reset the number of attempts allowed so doing so every 9 attempts allows us to continue brute forcing the pin number.
Using the script above, we can make 9 requests in a row and then reset the lockout count by making a login request using our valid credentials. We can see this generates the same pin and current OTP below.
Both methods work and result in bypassing the time-based one-time-use password authentication method.
