Bypassing Captcha Like a Boss

Hello Hunters! It’s been a while since my last write up, so i decide to share a fun experience that i had while hunting on a private program.

What the hell is a captcha?

From my point of view: A captcha solution is mostly utilized for avoid bots and ensure that the User behind the app is a real human.

Share is care, so let’s go to the write up!

Mapping the Application, i found a subscription endpoint with a captcha filter like this:

http://example.com/captcha/captchaCheck?

This took my attention quickly so i move to the src page:

<form action=”/captcha/captchaCheck” method=”post”>
 <input name=”hashvalue=”09573e52f752f3f5e6250b62aa34b8a8c08a4d22" type=”hidden”>
 <input name=”emailAddress” value=”test@email.com” type=”hidden”>
 <input name=”name” value=”” type=”hidden”>
 <input name=”enteredValue” size=”25" type=”text”> 
 <input value=”Subscribe” type=”submit”>
 </form>

If you look at the form you can realize that there are 2 interesting params:

hash” (encryption hash) and ”enteredValue” (number value of the captcha)

So, i fill the captcha and sent the form:

At this point i needed to realize the behavior/functionality of this captcha, so:

I found this:

If “hash” == “enteredValue” then Request is Accepted
If “hash” != “enteredValue” then Request is Blocked

Nice, so.. its quite simple: if params match: requests is accepted.. Now the complex thing is: that hash can be decrypted? : Challenge Accepted!

So i paste the hash in my terminal and try to decrypt with “dcipher”:

(Decipher hashes using online rainbow tables [hash toolkit, GromWeb, MD5Hashing] & lookup table attack services.)

Nice! Decrypted: OK! If you notice the 6 digits number is equal to the captcha image below:

Well well well, now we have all the pieces in the table: so.. let’s create a bot!

I created a bot in python for PoC purposes to show how an attacker can easily bypass this captcha behavior and abuse of his functionality:

1) First the bot sent a request to the subscription page with the captcha -> https://company.com/captcha/form/?
2) Bot scrape on the page and retrieve the ‘hash’ value param.
3) Bot decrypt the Hash (dcipher) 
4) With decrypted value the bot creates a POST request to http://company.com//captcha/captchaCheck and automatically fills all user form required params with random values (email, name, ipaddress, etc)
5) Bot sent the POST request and bypass the captcha

The bot is very basic but works like a charm.. so i sent this PoC to the program with the next explanation:

Security Impact
An attacker can create a bot to bypass the captcha and automate the tasks to sent unlimited requests to a multiple urls or lists with random/fake users, emails, IP address.. for spamming or evil purposes (collect data, analyze traffic behaviors, etc)

( The program had a really fast response! < 1h )

TIMELINE
Submitted 2018–04–16 03:51:17 UTC
Team Response with triage and bounty 2018–04–16 04:48:17 UTC
(Bounty $ xxx)

So ak1t4 is happy!

I hope you enjoyed this reading as i enjoyed writing it!
And remember: if you fail? try harder!
Happy Hunting!