Bluehat CTF — ThreeSeconds (captcha solver)

Josh Graham
2 min readOct 2, 2018

--

I had the chance to play the Bluehat CTF this year made by Jonathan Bar Or. This blog will discuss the way I solved the web challenge ThreeSeconds. I’ve written up some other challenges here.

To solve this challenge we need to visit the ThreeSeconds page, read a string in an image file and submit the string within three seconds i.e. solve a captcha. Because the string was contained within a png file we needed to use some sort of OCR software to extract the text in the within the three second time limit.

Obviously, when I encounter a challenge that requires scripting, I’m going to use AutoHotkey! A quick google turned up this Autohotkey repository (run random peoples code at your own risk) that will attempt to extract text from an image. I downloaded one of the captcha images from the CTF server and tried to run the AHK OCR code against it but was unsuccessful. The AHK OCR repository contained a demo .jpg image which the script was able to read the text of so i tried saving the CTF .png file as a .jpg and found that the script was able to read it.

Rather than figure out what was going wrong, I scripted the interaction in paint.net to open the .png file form the server and “save as” a .jpg. After saving the image as a .jpg, the OCR script was able to read the text and I could submit it to the server to get the flag.

There were a couple of things that made the challenge more difficult.

  1. You had to ensure that the request to get the image contained a valid session cookie and that the request to submit the text used the same session cookie. To get around this, I copied the session token from my browser and used it when making request in my AHK script
  2. The AHK OCR library often made mistakes when reading characters. To get around this I put the solution in a loop to try 10 times before giving up. It got it right enough that I was able to solve it in less than 10 runs. I also noticed that it often read “q” as “qg” and added space and commas randomly so I added a couple of lines to replace instances of qg commas and spaces.

Below is the AHK code that solved the challenge for me:

I’ve written up some other challenges here.

--

--