Break the Recaptcha - Nightmare:

Description

Hi Again!

Because you figured out the vulnerability, I've been implemented another security layer on my login procedure. But the attackers are still taking over my account!!!

Do you think you can try again and reproduce it (Not the same password as before)?

http://recaptcha2.challenges.bsidestlv.com/

Solution

This challenge is very similar to the previous 'Break the Recaptcha' challenge, with a little twist.

In this case, after trying to log in incorrectly for 3 times, the server would reply with 'Your IP Address has been locked for one hour!', even when we 'spoofed' the captcha correctly.

This simple brute-force protection meant that we could no longer use the previous solution, as 3 attempts per hour would simply take too long.

After a few unsuccessful attempts to find a flaw in the brute-force protection (such as spoofing the X-Forwarded-For header) we decided we truly need to attempt the logins from unique IP addresses.

For this we dumped a large list of free http proxies, and added the following code to the requests logic:

This means each login attempt was performed using a different http proxy, and thus the challenge server saw it coming from a different IP address.

Note that we also added a timeout and an error handling mechanism, as many of these proxies are not very reliable.