Lets login with our username and password and take look at the web app.

After login we are prompted to enter 2FA code. We have access to this 2FA
Open Email Client

Ok we get the Security code. Lets use it and login.

After success full login we are prompted to this page. In this page we can see, after successful login we are redirected to page /my-account . This might come handy later.

Now logout of this user and login with victim username and password.

As previous we are prompted to enter 2FA. But we dont have access to the 2FA.
Insted of brute forcing the 2FA code. Lets try to change the web address to /my-account . Since this is the page which loads after successfully entering 2FA code.

Well, It worked. There is huge flaw in the webapp. Web app is not enforcing 2FA endpoint. Hence we didn’t need second factor for authentication.