Break the ReCaptcha

Description

Dear Pentester!

I'm writing to you because don't know what to do! I've implemented a ReCaptcha mechanism on my website and attackers are always taking over my account! I'll give you a file that contains all of my possible passwords and you will be able to reproduce the vulnerability?

http://recaptcha.challenges.bsidestlv.com/

username: admin

A file with a list of passwords was attached.

Solution

We enter the site and see the following simple login API:

Behind the scenes is a real life Google ReCaptcha.

The relevant source code is:

We can use the browser developer tools in order to inspect what's happening under the hood:

We have an initial call to anchor, then for each attempt at entering a password, a call to reload and verify.

Diving into the requests and responses, we can see that a token received from anchor is being passed again during reload, and some data from reload gets sent in verify (which belongs to the actual website and isn't part of the ReCaptcha service).

We can mimic the same behavior with the following script:

After some time, the following result is returned:

ReCaptcha is a real-life service, so what's the vulnerability that allowed this? Based on the flag value, we assume it's related to the "BOT Score":

reCAPTCHA v3 returns a score (1.0 is very likely a good interaction, 0.0 is very likely a bot). Based on the score, you can take variable action in the context of your site. Every site is different [...] As reCAPTCHA v3 doesn't ever interrupt the user flow, you can first run reCAPTCHA without taking action and then decide on thresholds by looking at your traffic in the admin console. By default, you can use a threshold of 0.5.

(Source: Official Documentation)

The score threshold must have been set to ~0 in order to allow us to automate this process.