RSS

Leetmore CTF 2012: PPC 100 (HugeCaptcha)

This entry was posted on Oct 18 2012

Completely Automated Public Turing test to tell Computers and Humans Apart” are means to distinguish between harvesting robots and human being. And the challenge was designed just for that. But, while conventional captcha allows human beings to pass through, this was put to filter them out. Because, this was “Anti-Human” captcha!!!


PPC 100

Every time the challenge page was loaded, we were provided with two large numbers. The task was to add them up and submit the result. But, doing calculation on pen & paper and submitting the result would lead to: "Yor are human! ALERT!"

Why? Because, we are too slow.

Let’s look at the HTML of the challenge.

$ curl 'http://misteryou.ru/ppc100/'



rel=stylesheet type='text/css'>


HugeCaptcha

64738449533907673340322376539 + 35360273599524495233794387554






So we have to extract the summation of the large numbers programmatically, e.g.,  64738449533907673340322376539 + 35360273599524495233794387554 and we need to send this info with a POST request to http://misteryou.ru/ppc100/

 - captchatype = hugecaptcha

  – trueanswer = 7888C7B4C6575337D633977

  – answer = the sum we calcuated

Our Python code was

import urllib

# Get the last version of the webpage:
fh_getquestion = urllib.urlopen('http://misteryou.ru/ppc100/')

sum_line = False

# Read the HTML and parse out the info we need:
for line in fh_getquestion:
line = line.strip()
if 'HugeCaptcha' in line:
sum_line = True
elif sum_line is True:
# Extract summation.
answer_str = line.lstrip()[:-4]
# Calculate the sum.
answer = eval( answer_str )
sum_line = False
elif 'trueanswer' in line:
# Get trueanswer value.
trueanswer = line.split("'")[5]

fh_getquestion.close()

# Set POST request parameters.
params = urllib.urlencode({ 'captchatype': 'hugecaptcha',
'trueanswer': trueanswer, 'answer': answer })

print "POST paramters: " + params
print "summation: " + answer_str + "\n"

# Submit sum with POST request.
fh_answerquestion = urllib.urlopen('http://misteryou.ru/ppc100/', params)

# Print returned HTML.
print fh_answerquestion.read()

fh_answerquestion.close()

The output was

$ python ppc100-solution.py
POST paramters:
answer=91943027263443023031757931408&trueanswer=154FCFED18BED863B49979CE&captchatype=hugecaptcha
summation: 37396914791428204907774727573 + 54546112472014818123983203835



rel=stylesheet type='text/css'>


HugeCaptcha

Ok, u are robot
Secret is:
1101011
1101001
1101100
1101100
1100001
1101100
1101100
1101000
1110101
1101101
1100001
1101110
1110011


The binary strings always have 7 digits, so it is very likely that they represent ascii characters:

$ echo '1101011
1101001
1101100
1101100
1100001
1101100
1101100
1101000
1110101
1101101
1100001
1101110
1110011' | sed -e 's/
/, /g'
1101011, 1101001, 1101100, 1101100, 1100001, 1101100, 1101100,
1101000, 1110101, 1101101, 1100001, 1101110, 1110011

In python we can easily get the string:

>>> print "".join([ chr(int(str(x),2)) for x in [ 1101011, 1101001, 1101100, 1101100, 1100001, 1101100, 1101100, 1101000, 1110101, 1101101, 1100001, 1101110, 1110011] ])

Output from the above code was the flag.

Solution: killallhumans

Post a Comment