Bluehat CTF — ThreeSeconds (captcha solver)
I had the chance to play the Bluehat CTF this year made by Jonathan Bar Or. This blog will discuss the way I solved the web challenge ThreeSeconds. I’ve written up some other challenges here.
To solve this challenge we need to visit the ThreeSeconds page, read a string in an image file and submit the string within three seconds i.e. solve a captcha. Because the string was contained within a png file we needed to use some sort of OCR software to extract the text in the within the three second time limit.
Obviously, when I encounter a challenge that requires scripting, I’m going to use AutoHotkey! A quick google turned up this Autohotkey repository (run random peoples code at your own risk) that will attempt to extract text from an image. I downloaded one of the captcha images from the CTF server and tried to run the AHK OCR code against it but was unsuccessful. The AHK OCR repository contained a demo .jpg image which the script was able to read the text of so i tried saving the CTF .png file as a .jpg and found that the script was able to read it.
Rather than figure out what was going wrong, I scripted the interaction in paint.net to open the .png file form the server and “save as” a .jpg. After saving the image as a .jpg, the OCR script was able to read the text and I could submit it to the server to get the flag.
There were a couple of things that made the challenge more difficult.
- You had to ensure that the request to get the image contained a valid session cookie and that the request to submit the text used the same session cookie. To get around this, I copied the session token from my browser and used it when making request in my AHK script
- The AHK OCR library often made mistakes when reading characters. To get around this I put the solution in a loop to try 10 times before giving up. It got it right enough that I was able to solve it in less than 10 runs. I also noticed that it often read “q” as “qg” and added space and commas randomly so I added a couple of lines to replace instances of qg commas and spaces.
Below is the AHK code that solved the challenge for me:
I’ve written up some other challenges here.