Bypassing Captcha with a simple bot earn ($$$ bounty)

ShuttlerTech
3 min readFeb 17, 2023

--

Hello, Hunters. You are here because you are struggling or want to advance in your career. Believe me, things take time. Be consistent, continue to learn, and never deceive yourself. If you follow these three mantras, you will undoubtedly achieve success.

What is the definition of a captcha?

A captcha solution, in my opinion, is mostly used to avoid bots and ensure that the user behind the app is a real human.

Let’s Start to learn about Vulnerability Captcha bypass

I find a subscription endpoint with a captcha filter like this:

http://example.com/captcha/captchaCheck? in one application.

This quickly drew my attention, so I went to the source page:

<form action=”/captcha/captchaCheck” method=”post”>
<input name=”
hashvalue=”09573e52f752f3f7e8230b65aa34b8a8c08a4d22" type=”hidden”>
<input name=”emailAddress” value=”Pentest@email.com” type=”hidden”>
<input name=”name” value=”” type=”hidden”>
<input name=”
enteredValue” size=”25" type=”text”>
<input value=”Subscribe” type=”submit”>
</form>

When you look at the form, you’ll notice two interesting parameters:

hash” (encryption hash) and ”enteredValue” (number value of the captcha)

I then sent the form after filling out the captcha:
I wanted to understand the functionality and behavior of this captcha at this point,
I found this:

  1. If “hash” == “enteredValue” then Request is Accepted
  2. If “hash” != “enteredValue” then the Request is Blocked (! this sign represent not equals to)

Nice, so it’s fairly simple: if the request’s parameters match, it will be approved. The tricky question is, can that hash be decrypted?
So I Accepted the challenge! start searching on google got one result start working on it.

So I paste the hash in my terminal and try to decrypt with “dcipher” or any decryption tool that can be used.

(Decipher hashes using online rainbow tables [hash toolkit, GromWeb, MD5Hashing] & lookup table attack services.)

Nice! Decrypted: OK! If you notice the 6 digits number is equal to the captcha image below:

We have all thing with us so now we can create a simple bot for this attack!

I created a bot in python for PoC purposes to show how an attacker can easily bypass this captcha behavior and abuse his functionality:

1) The bot first requested the captcha-protected subscription page at https://company.com/captcha/form/?
2) A bot will scrape the page to find the “hash” value parameter.
3) Bot unlocks the Hash (dcipher)
4) The bot generates a POST request to http://company.com//captcha/captchaCheck using the decrypted value and automatically fills out all user form fields with random values (email, name, address, etc)
5) A bot sent a POST request while avoiding the captcha.

Impact on Security

For spamming or other nefarious purposes, an attacker can construct a bot to get around the captcha and automate the process of sending an endless number of requests to multiple URLs or lists with random or phoney users, emails, or IP addresses (collect data, analyze traffic behaviors, etc)
Source: Medium

Thank you for reading !! hope you get to learn some tricks.

Subscribe to the Shuttlertech YouTube channel for more of this type of content and to watch live POCs. To encourage me to write more, follow me on medium and click the clap icon.

--

--

ShuttlerTech
ShuttlerTech

Written by ShuttlerTech

Senior Cyber Security Analyst| YouTuber| Freelancer| Cyber Security Trainer | Penetration Tester| Cyber Forensics Investigator

Responses (11)