├── LICENSE
├── README.md
├── images
    ├── demo1.png
    ├── demo2.png
    ├── demo3.png
    └── demo4.png
├── scripts
    ├── .captcha.jpg
    ├── solution1.py
    └── solution2.py
└── template
    ├── captcha.php
    ├── index.html
    ├── lab1.php
    ├── lab2.php
    └── monofont.ttf


/LICENSE:
--------------------------------------------------------------------------------
 1 | MIT License
 2 | 
 3 | Copyright (c) 2022 D3Ext
 4 | 
 5 | Permission is hereby granted, free of charge, to any person obtaining a copy
 6 | of this software and associated documentation files (the "Software"), to deal
 7 | in the Software without restriction, including without limitation the rights
 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 | 
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 | 
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Captcha Bypassing Lab
 2 | 
 3 | If you want to practise captcha bypassing, this is the right place!
 4 | 
 5 | ## Introduction
 6 | 
 7 | This repo contains a lab to practise captcha bypassing and a python script which is already able to "break" the captcha and get the numbers of it. The lab has 2 parts, one to simply parse the captcha and the other one to combine the captcha with a simple login form
 8 | 
 9 | ## Requirements
10 | 
11 | To use the python script you need to have install the python ***pytesseract*** package as well as the ***tesseract*** command. Both of them used to convert images to text:
12 | 
13 | To launch the lab you just need a php server and in order to generate the captcha you need to have installed php-gd and to have it enabled on `/etc/php/php.ini` by uncommenting the line `extension=gd`
14 | 
15 | ## Installation
16 | 
17 | Clone the repo and set up a php server on the lab folder
18 | 
19 | ```sh
20 | git clone https://github.com/D3Ext/Captcha-Bypassing-Lab
21 | cd Captcha-Bypassing-Lab/template
22 | php -S 0.0.0.0:80
23 | ```
24 | 
25 | ## Solution
26 | 
27 | In order to solve both labs the project has, there actually are infinite solutions but feel free to check the python scripts on the `scripts/` folder, `solution1.py` for the first part and `solution2.py` for the second one
28 | 
29 | ## Demo
30 | 
31 | <img src="https://raw.githubusercontent.com/D3Ext/Captcha-Bypassing-Lab/main/images/demo1.png">
32 | 
33 | <img src="https://raw.githubusercontent.com/D3Ext/Captcha-Bypassing-Lab/main/images/demo2.png">
34 | 
35 | <img src="https://raw.githubusercontent.com/D3Ext/Captcha-Bypassing-Lab/main/images/demo3.png">
36 | 
37 | <img src="https://raw.githubusercontent.com/D3Ext/Captcha-Bypassing-Lab/main/images/demo4.png">
38 | 
39 | ## References
40 | 
41 | ```
42 | https://www.anura.io/blog/captcha-and-recaptcha-how-fraudsters-bypass-it
43 | https://book.hacktricks.xyz/pentesting-web/captcha-bypass
44 | ```
45 | 
46 | ## License
47 | 
48 | This project is under MIT license
49 | 
50 | Copyright © 2024, *D3Ext*
51 | 
52 | 


--------------------------------------------------------------------------------
/images/demo1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D3Ext/Captcha-Bypassing-Lab/f169fd01a7453b4fdb93cb2ca316f2571bd58a86/images/demo1.png


--------------------------------------------------------------------------------
/images/demo2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D3Ext/Captcha-Bypassing-Lab/f169fd01a7453b4fdb93cb2ca316f2571bd58a86/images/demo2.png


--------------------------------------------------------------------------------
/images/demo3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D3Ext/Captcha-Bypassing-Lab/f169fd01a7453b4fdb93cb2ca316f2571bd58a86/images/demo3.png


--------------------------------------------------------------------------------
/images/demo4.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D3Ext/Captcha-Bypassing-Lab/f169fd01a7453b4fdb93cb2ca316f2571bd58a86/images/demo4.png


--------------------------------------------------------------------------------
/scripts/.captcha.jpg:
--------------------------------------------------------------------------------
1 | <!doctype html><html><head><title>404 Not Found</title><style>
2 | body { background-color: #fcfcfc; color: #333333; margin: 0; padding:0; }
3 | h1 { font-size: 1.5em; font-weight: normal; background-color: #9999cc; min-height:2em; line-height:2em; border-bottom: 1px inset black; margin: 0; }
4 | h1, p { padding-left: 10px; }
5 | code.url { background-color: #eeeeee; font-family:monospace; padding:0 2px;}
6 | </style>
7 | </head><body><h1>Not Found</h1><p>The requested resource <code class="url">/lab1.phpcaptcha.php?rand=991113378</code> was not found on this server.</p></body></html>


--------------------------------------------------------------------------------
/scripts/solution1.py:
--------------------------------------------------------------------------------
 1 | #!/usr/bin/python3
 2 | 
 3 | import requests, time, os, re, signal, pytesseract, colorama, sys
 4 | from colorama import Fore
 5 | from PIL import Image
 6 | 
 7 | def def_handler(sig, frame):
 8 |     print("\n\n[!] Exiting...")
 9 |     sys.exit(1)
10 | 
11 | def GetCaptcha(base_url):
12 |     loop = 0
13 |     while loop == 0:
14 |         try:
15 |             # Create a session for multiple requests
16 |             s = requests.session()
17 | 
18 |             print(Fore.MAGENTA + "[*]" + Fore.WHITE + " Obtaining captcha image url...")
19 |             response = s.get(base_url) # Send request
20 |             captcha_expression = re.search(r'\d{5,10}', response.text) # Use regex to filter for captcha rand url number
21 |             image_url = base_url.removesuffix("lab1.php") + "captcha.php?rand=" + captcha_expression.group(0) # Build captcha image url
22 | 
23 |             print(Fore.GREEN + "[+]" + Fore.WHITE + " Image url: " + image_url)
24 |             captcha_image = s.get(image_url) # Send request to image
25 | 
26 |             # Save captcha image in a file
27 |             f = open("captcha.jpg", "wb")
28 |             f.write(captcha_image.content)
29 |             f.close()
30 |             time.sleep(0.2)
31 | 
32 |             print(Fore.MAGENTA + "[*]" + Fore.WHITE + " Converting captcha image to text...")
33 |             # Use pytesseract to parse image
34 |             captcha_value = pytesseract.image_to_string(Image.open('captcha.jpg')).strip()
35 |             os.remove("captcha.jpg")
36 | 
37 |             print(Fore.GREEN + "[+]" + Fore.WHITE + " Captcha value: %s" % captcha_value)
38 |             time.sleep(0.2)
39 | 
40 |             print(Fore.MAGENTA + "[*]" + Fore.WHITE + " Checking if captcha is valid...")
41 |             post_data = {
42 |                 'captcha': '%s' % (captcha_value),
43 |                 'submit': 'Submit'
44 |             }
45 | 
46 |             r2 = s.post(base_url, data=post_data)
47 | 
48 |             if "captcha code is correct" in r2.text:
49 |                 print(Fore.GREEN + "\n[+]" + Fore.WHITE + " Captcha entered succesfully")
50 |                 loop = 1
51 |             else:
52 |                 print(Fore.RED + "\n[-]" + Fore.WHITE + " Captcha entered incorrectly\n")
53 |         except Exception as e:
54 |             print(e)
55 |             sys.exit(1)
56 | 
57 | if __name__ == '__main__':
58 |     if len(sys.argv) >= 2:
59 |         base_url = sys.argv[1]
60 |         GetCaptcha(base_url)
61 |     else:
62 |         print("Usage: python3 solution1.py http://127.0.0.1/lab1.php")
63 |         sys.exit(0)
64 | 
65 | 


--------------------------------------------------------------------------------
/scripts/solution2.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python3
2 | 
3 | #if __name__ == '__main__':
4 | 
5 | 


--------------------------------------------------------------------------------
/template/captcha.php:
--------------------------------------------------------------------------------
  1 | <?php
  2 | session_start();
  3 | 
  4 | // Captcha settings
  5 | 
  6 | $captcha_code = '';
  7 | $captcha_image_height = 50;
  8 | $captcha_image_width = 130;
  9 | $total_characters_on_image = 6;
 10 | 
 11 | // The characters that can be used in the CAPTCHA code.
 12 | // avoid all confusing characters and numbers (i.e l, 1 and i)
 13 | $possible_captcha_letters = 'bcdfghjkmnpqrstvwxyz23456789';
 14 | $captcha_font = '/home/d3ext/Desktop/repos/Captcha-Bypassing/template/monofont.ttf';
 15 | 
 16 | // Edit this value to add dots to the captcha image
 17 | $random_captcha_dots = 0;
 18 | 
 19 | // Edit this value to add lines to the captcha image
 20 | $random_captcha_lines = 0;
 21 | 
 22 | // Edit this values to change captcha image colors
 23 | $captcha_text_color = "0x142864";
 24 | $captcha_noise_color = "0x142864";
 25 | 
 26 | $count = 0;
 27 | while ($count < $total_characters_on_image) { 
 28 |   $captcha_code .= substr($possible_captcha_letters, mt_rand(0, strlen($possible_captcha_letters)-1), 1);
 29 |   $count++;
 30 | }
 31 | 
 32 | $captcha_font_size = $captcha_image_height * 0.65;
 33 | $captcha_image = @imagecreate($captcha_image_width, $captcha_image_height);
 34 | 
 35 | // setting the background, text and noise colours here
 36 | $background_color = imagecolorallocate(
 37 | 	$captcha_image,
 38 | 	255,
 39 | 	255,
 40 | 	255
 41 | 	);
 42 | 
 43 | $array_text_color = hextorgb($captcha_text_color);
 44 | $captcha_text_color = imagecolorallocate(
 45 |   $captcha_image,
 46 |   $array_text_color['red'],
 47 |   $array_text_color['green'],
 48 |   $array_text_color['blue']
 49 | );
 50 | 
 51 | $array_noise_color = hextorgb($captcha_noise_color);
 52 | $image_noise_color = imagecolorallocate(
 53 |   $captcha_image,
 54 |   $array_noise_color['red'],
 55 |   $array_noise_color['green'],
 56 |   $array_noise_color['blue']
 57 | );
 58 | 
 59 | // Generate random dots in background of the captcha image
 60 | for( $count=0; $count<$random_captcha_dots; $count++ ) {
 61 |   imagefilledellipse(
 62 |     $captcha_image,
 63 |     mt_rand(0, $captcha_image_width),
 64 |     mt_rand(0, $captcha_image_height),
 65 |     2,
 66 |     3,
 67 | 	  $image_noise_color
 68 |   );
 69 | }
 70 | 
 71 | // Generate random lines in background of the captcha image
 72 | for( $count=0; $count<$random_captcha_lines; $count++ ) {
 73 |   imageline(
 74 |     $captcha_image,
 75 |     mt_rand(0, $captcha_image_width),
 76 |     mt_rand(0, $captcha_image_height),
 77 |     mt_rand(0, $captcha_image_width),
 78 |     mt_rand(0, $captcha_image_height),
 79 |     $image_noise_color
 80 |   );
 81 | }
 82 | 
 83 | // Create a text box and add 6 captcha letters code in it
 84 | $text_box = imagettfbbox(
 85 |   $captcha_font_size,
 86 |   0,
 87 |   $captcha_font,
 88 |   $captcha_code
 89 | );
 90 | 
 91 | $x = ($captcha_image_width - $text_box[4])/2;
 92 | $y = ($captcha_image_height - $text_box[5])/2;
 93 | 
 94 | imagettftext(
 95 |   $captcha_image,
 96 |   $captcha_font_size,
 97 |   0,
 98 |   $x,
 99 |   $y,
100 |   $captcha_text_color,
101 |   $captcha_font,
102 |   $captcha_code
103 | );
104 | 
105 | // Show captcha image in the html page
106 | // defining the image type to be shown in browser widow
107 | header('Content-Type: image/jpeg'); 
108 | imagejpeg($captcha_image); // showing the image
109 | imagedestroy($captcha_image); // destroying the image instance
110 | $_SESSION['captcha'] = $captcha_code;
111 | 
112 | function hextorgb ($hexstring){
113 |   $integar = hexdec($hexstring);
114 |   return array("red" => 0xFF & ($integar >> 0x10),
115 |     "green" => 0xFF & ($integar >> 0x8),
116 |     "blue" => 0xFF & $integar);
117 | }
118 | 
119 | ?>
120 | 


--------------------------------------------------------------------------------
/template/index.html:
--------------------------------------------------------------------------------
 1 | <!DOCTYPE html>
 2 | <html lang="en">
 3 | <head>
 4 |   <meta charset="UTF-8">
 5 |   <meta name="viewport" content="width=device-width, initial-scale=1.0">
 6 |   <title>Button Redirect</title>
 7 |   <style>
 8 |     body {
 9 |       display: flex;
10 |       flex-direction: column;
11 |       align-items: center;
12 |       justify-content: center;
13 |       height: 100vh;
14 |       margin: 0;
15 |     }
16 | 
17 |     .header {
18 |       font-size: 24px;
19 |       margin-bottom: 20px;
20 |     }
21 | 
22 |     .button-container {
23 |       text-align: center;
24 |     }
25 | 
26 |     .redirect-button {
27 |       display: inline-block;
28 |       padding: 10px 20px;
29 |       margin: 10px;
30 |       font-size: 16px;
31 |       text-align: center;
32 |       text-decoration: none;
33 |       cursor: pointer;
34 |       background-color: #4CAF50;
35 |       color: #ffffff;
36 |       border: none;
37 |       border-radius: 5px;
38 |     }
39 |   </style>
40 | </head>
41 | <body>
42 | 
43 | <div class="header">Captcha Bypassing Lab</div>
44 | 
45 | <div class="button-container">
46 |   <a href="lab1.php" class="redirect-button">Lab 1</a>
47 |   <a href="lab2.php" class="redirect-button">Lab 2</a>
48 | </div>
49 | 
50 | </body>
51 | </html>
52 | 
53 | 
54 | 


--------------------------------------------------------------------------------
/template/lab1.php:
--------------------------------------------------------------------------------
 1 | <form name="form" method="post" action="">
 2 |   <label>Enter Captcha:</label><br/>
 3 |   <input type="text" name="captcha" />
 4 |   <p>
 5 |     <img src="captcha.php?rand=<?php echo rand(); ?>" id='captcha_image'>
 6 |   </p>
 7 |   <p>Can't read the image? Click
 8 |     <a href='javascript: refreshCaptcha();'>here</a>
 9 |     to refresh
10 |   </p>
11 |   <input type="submit" name="submit" value="Submit">
12 |   <a href="index.html">
13 |     <input type="button" value="Go back" />
14 |   </a>
15 | </form>
16 | 
17 | <script>
18 |   // Refresh Captcha
19 |   function refreshCaptcha() {
20 |     var img = document.images['captcha_image'];
21 |     img.src = img.src.substring(0, img.src.lastIndexOf("?")) + "?rand=" + Math.random() * 1000;
22 |   }
23 | 
24 |   function goBack() {
25 |     window.location.href = 'index.html';
26 |   }
27 | </script>
28 | 
29 | <?php
30 | session_start();
31 | $status = '';
32 | 
33 | if (isset($_POST['captcha']) && ($_POST['captcha'] != "")) {
34 |   // Checking entered captcha code with the generated captcha code
35 |   if (strcasecmp($_SESSION['captcha'], $_POST['captcha']) != 0) {
36 |     // if you want case-sensitive match, check above with strcmp()
37 |     $status = "<p style='color:#FFFFFF; font-size:20px'><span style='background-color:#FF0000;'>Submitted captcha code does not match!</span></p>";
38 |   } else {
39 |     $status = "<p style='color:#FFFFFF; font-size:20px'>
40 |       <span style='background-color:#46ab4a;'>Submitted captcha code is correct.</span></p>";
41 |   }
42 | }
43 | 
44 | echo $status;
45 | ?>
46 | 
47 | 


--------------------------------------------------------------------------------
/template/lab2.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | session_start();
 3 | $status = '';
 4 | 
 5 | $USER = 'admin';
 6 | $PASSWORD = 'password';
 7 | 
 8 | if (isset($_POST['captcha']) && ($_POST['captcha'] != "") && ($_POST['username'] != "") && ($_POST['password'] != ""))
 9 | {
10 |   // Validation: Checking entered captcha code with the generated captcha code
11 |   if (strcasecmp($_SESSION['captcha'], $_POST['captcha']) != 0)
12 |   {
13 |     // Note: the captcha code is compared case insensitively.
14 |     // if you want case-sensitive match, check above with strcmp()
15 |     $status = "<p style='color:#FFFFFF; font-size:20px'><span style='background-color:#FF0000;'>Submitted captcha code does not match!</span></p>";
16 |   } else {
17 |     if ($_POST['username'] == $USER) {
18 |       if ($_POST['password'] == $PASSWORD) {
19 |         echo "<p style='color:#FFFFFF; font-size:20px'><span style='background-color:#46ab4a;'>Access Granted</span></p>";
20 |       } else {
21 |         echo "<p style='color:#FFFFFF; font-size:20px'><span style='background-color:#FF0000;'>Invalid Password</span></p>";
22 |       }
23 |     } else {
24 |       echo "<p style='color:#FFFFFF; font-size:20px'><span style='background-color:#FF0000;'>Invalid User</span></p>";
25 |     }
26 |     
27 |     // $status = "<p style='color:#FFFFFF; font-size:20px'><span style='background-color:#46ab4a;'>Submitted captcha code is correct.</span></p>";
28 |   }
29 | }
30 | echo $status;
31 | ?>
32 | 
33 | <form name="form" method="post" action="">
34 |   Username: <input type="text" name="username" id="username" size="10"><br>
35 |   Password: <input type="password" name="password" id="password" size="15"><br>
36 |   Enter Captcha: <input type="text" name="captcha"><br>
37 | 
38 |   <p>
39 |     <img src="captcha.php?rand=<?php echo rand(); ?>" id='captcha_image'>
40 |   </p>
41 |   <p>Can't read the image? Click
42 |     <a href='javascript: refreshCaptcha();'>here</a>
43 |     to refresh
44 |   </p>
45 | 
46 |   <input type="submit" name="submit" value="Submit">
47 |   <a href="index.html">
48 |     <input type="button" value="Go back" />
49 |   </a>
50 | </form>
51 | 
52 | <script>
53 |   // Refresh Captcha
54 |   function refreshCaptcha() {
55 |     var img = document.images['captcha_image'];
56 |     img.src = img.src.substring(0, img.src.lastIndexOf("?")) + "?rand=" + Math.random() * 1000;
57 |   }
58 | </script>
59 | 
60 | 


--------------------------------------------------------------------------------
/template/monofont.ttf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/D3Ext/Captcha-Bypassing-Lab/f169fd01a7453b4fdb93cb2ca316f2571bd58a86/template/monofont.ttf


--------------------------------------------------------------------------------