Skip to main content

IceCTF 2018 – Anticaptcha [Miscellaneous]

Miscellaneous – 2. Anticaptcha

 Author: valrkey

 Worth: $250

 Description: Wow, this is a big captcha. Who has enough time to solve this? Seems like a lot of effort to me!

As you can tell by the tiny scroll bar, there were a large number of questions (609) to be answered. To make things more difficult, each time the question was visited, the order and numeric value would be randomized. The questions generally followed one of three formats:

  1. What is the # word in the following line: ...?
  2. Is # a prime number?
  3. What is the greatest common divisor of # and #?
For each of these question formats, I wrote a PowerShell function to determine the answer.

Word in Line

This function takes in the INDEX of the word requested and the LINE to take the word from. I added a line word length check just in case the IceCTF staff are jerks and give a too-large index. Everything should be accounted for the after mapping the 1st word" to the 0th array index and getting rid of any trailing '.' characters.


Prime Number

If a number is prime, it must not be evenly divisible by anything except itself and 1. I created a loop that runs from 2 to the sqrt(#) checking if each integer evenly divides our input VALUE. The odd case with this logic ends up being the VALUE 1, since it is not prime as it divides every other number in existence.


Greatest Common Divisor

This calculation can be accomplished a couple different ways; I chose the Euclid's algorithm since it lent itself to easy recursion and seemed to be more efficient than looping through all numbers below the lesser input VALUE and checking divisibility on both numbers.


Question Gathering

The Anticaptcha form was set in an iframe on the IceCTF platform site. After enabling all versions of HTTPS and supplying Referer and User-Agent headers, I was able to pull down the list of questions by sending a GET request to the iframe source site (https://<random chars>-anticaptcha.labs.icec.tf):


Question Parsing

To parse the questions out of the returned HTML, I started by looking at the page structure:


Since all of the questions and answer formats are contained in Table Data elements, I decided to target those:


This loop will gather each question and the desired answer format. I've found HTML parsing to be more of an art than a science, and this feat would be possible in a number of different ways. I happened to pick this TD elements because it made the most sense to me. 

Answering the Questions

Using the functions I outlined above, I was able to test the questions against the following regular expressions in order to compute the answer:


The default action for this switch statements prints out a warning for any question that doesn't match one of the above three regular expressions. When running, I received the following warnings:


Looks like the IceCTF staff threw in some oddball questions for funsies, so I added an additional function to handle these questions specifically:


I added this new function to handle the "default" action of the Answer switch statement. The full function to get questions and answer them was:




Submitting Answers

Submitting the answers I found should be posted back to the Anticaptcha site based on the form action on the page. Inspecting a random answer submit on the site in Burp provided the post request body format of:

answer={ans0}&answer={ans1}...&submit="Submit+Answers"

Putting it all together, the end result was this function:


Checking the Content of the response, I noticed:


What the....


But...why...how, what...?


I beat my head against that wall for a while to no avail. For whatever reason, I was unable to mimic a browser submission, so I was forced to go about it a different route.

Browser Automation

I knew of this neat browser automation tool called Selenium that was designed for web development unit testing. Thinking I could get around my impersonation shortcomings by driving a real life browser, I looked up the project's PowerShell compatibility and discovered they had a module available.

With this module, you are able to point your puppet browser (Firefox in my case) at websites, select HTML elements, and send key strokes/click events to selected elements. Should be perfect!

After navigating my puppet browser to the Anticaptcha challenge site, the following code filled in answers in the input boxes on the page and clicked the submit button when finished:


Video of the driven browser:


The final result:


Flag = IceCTF{ahh_we_have_been_captchured}

Comments

Post a Comment

Popular posts from this blog

Emotet Downloader Write-Up

This write-up is for a macro embedded doc used as a downloader for Emotet. Author: 5k33tz MD5: 43d2a3df73fdcb10b9429a480d96ddcf This sample first came to my attention by way of an alert for a download from an Emotet related URL. Looking at the PCAP I see a GET request to imdavidlee.com/9493MG/biz/US After grabbing the file from the source and hashing it, I realized there were already 21/44 detections on VT. So I wanted to do some manual analysis to strengthen my skills and see how this sample works. Running file against the sample: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Arorupyzheh-PC, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Sat Aug 25 00:31:00 2018, Last Saved Time/Date: Sat Aug 25 00:31:00 2018, Number of Pages: 1, Number of Words: 3, Number of Characters: 21, Security: 0 We can see it's a Word Doc, but probably the
Post a Comment
Read more

IceCTF 2018 - Picasso [Forensics]

Forensics – 1. Picasso Author: 5ynax and Valrkey Worth:  $150 Description: The challenge involved a GIF that we needed to extract a message from. So, for this challenge, we had two ways that we solved it at almost the same time. We have the long (5ynax) way and we have the fast (valrkey) way. The Long Way In the long way, I decided to extract each frame of the automated GIF and then import them into GIMP to layer them on top of one another. I used an online tool to get all of the frames, there was a lot of them, I used https://ezgif.com/split. After I got the frames split up, I downloaded them and moved them to my box with GIMP ready for analysis. I later learned that I could have just imported the GIF into GIMP directly using the open as layers routine, but that's neither here nor there. For each layer there is an Alpha Channel. In GIMP under the colors menu, you can select the Color to Alpha Routine to get this box: This allows you to choose a color an
Post a Comment
Read more