## Leetmore CTF 2012: PPC 100 (HugeCaptcha)

This entry was posted on Oct 18 2012

Completely Automated Public Turing test to tell Computers and Humans Apart” are means to distinguish between harvesting robots and human being. And the challenge was designed just for that. But, while conventional captcha allows human beings to pass through, this was put to filter them out. Because, this was “Anti-Human” captcha!!! `Every time the challenge page was loaded, we were provided with two large numbers. The task was to add them up and submit the result. But, doing calculation on pen & paper and submitting the result would lead to: "Yor are human! ALERT!"`

Why? Because, we are too slow.

Let’s look at the HTML of the challenge.

`\$ curl 'http://misteryou.ru/ppc100/'`

``` ```

``` rel=stylesheet type='text/css'> HugeCaptcha 64738449533907673340322376539 + 35360273599524495233794387554 ```

``` ```

So we have to extract the summation of the large numbers programmatically, e.g.,  64738449533907673340322376539 + 35360273599524495233794387554 and we need to send this info with a POST request to http://misteryou.ru/ppc100/

– answer = the sum we calcuated

Our Python code was

`import urllib`

``` # Get the last version of the webpage: fh_getquestion = urllib.urlopen('http://misteryou.ru/ppc100/') sum_line = False # Read the HTML and parse out the info we need: for line in fh_getquestion: line = line.strip() if 'HugeCaptcha' in line: sum_line = True elif sum_line is True: # Extract summation. answer_str = line.lstrip()[:-4] # Calculate the sum. answer = eval( answer_str ) sum_line = False elif 'trueanswer' in line: # Get trueanswer value. trueanswer = line.split("'") fh_getquestion.close() # Set POST request parameters. params = urllib.urlencode({ 'captchatype': 'hugecaptcha', 'trueanswer': trueanswer, 'answer': answer }) print "POST paramters: " + params print "summation: " + answer_str + "\n" # Submit sum with POST request. fh_answerquestion = urllib.urlopen('http://misteryou.ru/ppc100/', params) # Print returned HTML. print fh_answerquestion.read() ```

`fh_answerquestion.close()`

The output was

```\$ python ppc100-solution.py POST paramters: answer=91943027263443023031757931408&trueanswer=154FCFED18BED863B49979CE&captchatype=hugecaptcha summation: 37396914791428204907774727573 + 54546112472014818123983203835```

``` rel=stylesheet type='text/css'> HugeCaptcha Ok, u are robot Secret is: 1101011 1101001 1101100 1101100 1100001 1101100 1101100 1101000 1110101 1101101 1100001 1101110 1110011 ```

``` ```

The binary strings always have 7 digits, so it is very likely that they represent ascii characters:

```\$ echo '1101011 1101001 1101100 1101100 1100001 1101100 1101100 1101000 1110101 1101101 1100001 1101110 1110011' | sed -e 's/ /, /g' 1101011, 1101001, 1101100, 1101100, 1100001, 1101100, 1101100, 1101000, 1110101, 1101101, 1100001, 1101110, 1110011```

In python we can easily get the string:

`>>> print "".join([ chr(int(str(x),2)) for x in [ 1101011, 1101001, 1101100, 1101100, 1100001, 1101100, 1101100, 1101000, 1110101, 1101101, 1100001, 1101110, 1110011] ])`

Output from the above code was the flag.

`Solution: killallhumans`