Brute-forcing 2FA with Ruby | Greg Molnar

I was doing a challenge on Hack The Box(since it is still active, I don’t want to point out which one it was) and I solved it with a little Ruby script. The challenge was to bypass 2FA protection. At the login proccess, a SQL injection enabled to bypass the password verification, but there was a second factor. Based on the available source code, the second factor was a 4 digit code and it was valid for 5 minutes, so I tried to brute-force it with Burp Intruder, but after the 20th attempt, my IP got blocked. I looked at the codebase again, and noticed that the application accepts an X-Forwarded-For header. I thought this might enable me to brute-force the 2FA code. Unfortunately Intruder doesn’t make it easy to rotate the IP during an attack, so I decided to write a little Ruby script to handle this.