Captcha2 | the Missing Lake

solving captchas that require identifying two animals from their images and submitting the captcha value in the format animal1-animal2

let's view the GET REQUEST in burp

we get the src of the 2 images.

so the difference between the first captcha challenge and this one is that the first one involves extracting the text from the image but this one involves recognizing the animal from the image.

if we run the request multiple times in the browser and view the src image of the animals we can notice that each animal has a unique image src so what we can do is build an object which has key value pair representing the animal name as the key and the image src as the image src.

# Define a dictionary to map animal names to their respective image src strings
animal_images = {
    "dog": "E49512524F47B4138D850C9D9D85972927281DA0.jpeg",
    "eagle": "C29E4D9C8824409119EAA8BA182051B89121E663.jpeg",
    "cat": "9D989E8D27DC9E0EC3389FC855F142C3D40F0C50.jpeg",
    "snake": "148627088915C721CCEBB4C611B859031037E6AD.jpeg",
    "horse": "091B5035885C00170FEC9ECF24224933E3DE3FCC.jpeg",
    "bear":"09F5EDEB4F5B2A4E4364F6B654682C6758A3FA16.jpeg",
    "fox": "FF0F0A8B656F0B44C26933ACD2E367B6C1211290.jpeg",
    "duck": "5ECE240085B9AD85B64896082E3761C54EF581DE.jpeg",
    "penguin": "73335C221018B95C013FF3F074BD9E8550E8D48E.jpeg",
    "rabbit": "6D0EBBBDCE32474DB8141D23D2C01BD9628D6E5F.jpeg"
}

let's build a script like the previous one but this time instead of sending the extracted text as the captcha value we will map animal names to their respective image src strings and then extract the src strings from the HTML response. We identify the animals in the captcha image based on their src strings and concatenate their names to form the captcha value. The script continues to send captchas until 100 are solved.

first let's view the POST Request in burp and then build the script

Script

import re
import requests

# Define the URL for getting captcha images and submitting captchas
get_url = "https://captcha2.uctf.ir"
post_url = "https://captcha2.uctf.ir"

# Define a dictionary to map animal names to their respective image src strings
animal_images = {
    "dog": "E49512524F47B4138D850C9D9D85972927281DA0.jpeg",
    "eagle": "C29E4D9C8824409119EAA8BA182051B89121E663.jpeg",
    "cat": "9D989E8D27DC9E0EC3389FC855F142C3D40F0C50.jpeg",
    "snake": "148627088915C721CCEBB4C611B859031037E6AD.jpeg",
    "horse": "091B5035885C00170FEC9ECF24224933E3DE3FCC.jpeg",
    "bear":"09F5EDEB4F5B2A4E4364F6B654682C6758A3FA16.jpeg",
    "fox": "FF0F0A8B656F0B44C26933ACD2E367B6C1211290.jpeg",
    "duck": "5ECE240085B9AD85B64896082E3761C54EF581DE.jpeg",
    "penguin": "73335C221018B95C013FF3F074BD9E8550E8D48E.jpeg",
    "rabbit": "6D0EBBBDCE32474DB8141D23D2C01BD9628D6E5F.jpeg"
    # Add more animal-image mappings as needed
}

# Headers for the requests
headers = {
    "Cookie": "PHPSESSID=lhn4fet9115s9t8av9corkuvpk; f873062f0559114b30a8e84091decac1=4ca691cc8d4068943ebf5dd4b3ba2296",
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0",
}

# Initialize variables to keep track of captchas solved
captchas_solved = 0

# Continue sending captchas until 100 are solved (adjust as needed)
while captchas_solved < 100:
    # Send a GET request to the URL to retrieve a new captcha image
    response = requests.get(get_url, headers=headers)

    # Extract the animal images from the HTML response
    html_content = response.text
    animal_src_matches = re.findall(r'<img src="([^"]+)', html_content)

    if len(animal_src_matches) == 2:
        animal1_src, animal2_src = animal_src_matches

        # Determine the names of the animals based on their src strings
        animal1_name = None
        animal2_name = None
        for name, src in animal_images.items():
            if src in animal1_src:
                animal1_name = name
            if src in animal2_src:
                animal2_name = name

        if animal1_name and animal2_name:
            # Concatenate the animal names as the captcha value
            captcha_value = f"{animal1_name}-{animal2_name}"
            print("Captcha Value:", captcha_value)

            # Send a POST request with the captcha value
            post_data = {"captcha": captcha_value}
            post_response = requests.post(post_url, headers=headers, data=post_data)

            # Check if the response contains "that ain't right"
            if "that ain't right" not in post_response.text:
                captchas_solved += 1
                print(f"Captchas Solved: {captchas_solved}")

    else:
        print("Animal images not found in the HTML response")

print("Solved 100 captchas!")

let's run the script

and we have got the flag

Flag

UCTF{Arm3n1an_m0uflon}