Mastering Kali Penetration Testing: Hands-On Guide to CAPTCHA Bypass and Web Application Security

 

1. Course Overview

 

**Note**: This experiment environment is different from the one used in the previous section. Please avoid using the previous environment. If it is still active, terminate it and restart the environment before continuing with Kali penetration testing.

This course is hands-on-based. To clarify certain operations within the experiment, theoretical content will be included, along with carefully selected must-read articles for your study. This ensures you build a robust theoretical foundation while practicing.

Note: Due to the high cost of configuring cloud machines used for experiments, usage frequency is capped at no more than six attempts per experiment.

2. Learning Methodology

 

The Kali series courses on Lab Environment include five training programs. This particular program focuses on web application attack methods. The course features 20 experiments, each with detailed step-by-step instructions and screenshots. It is suitable for learners with a basic understanding of Linux systems who wish to quickly master Kali penetration testing.

The recommended learning method is to practice extensively and ask questions whenever necessary. After launching the experiment, follow the steps provided, understanding the details at each stage. If you encounter any questions, feel free to post them in Lab Environment Q&A, where both the Lab Environment team and I will promptly respond to all queries.

Any recommended reading materials provided at the start of the experiment are for reference only.

3. Section Introduction

 

In this experiment, we will familiarize ourselves with the concepts of Kali Linux and penetration testing. The following tasks must be completed sequentially (please review the differing environmental setup steps for this section):

• Introduction to CAPTCHA Security
• CAPTCHA Security Techniques
• Practical Bypass Techniques (and their defenses)

4. Recommended Reading

 

For this experiment, the following resources are highly recommended:

1. Introduction to CAPTCHA Recognition
2. Intermediate CAPTCHA Recognition

5. CAPTCHA Security

 

5.1 Introduction

 

CAPTCHAs are now ubiquitous online. But what purpose do CAPTCHAs serve, and what sort of security risks might they pose?

In earlier sections, we discussed vulnerabilities like brute force attacks, which involve attempting numerous password combinations. Without restrictions, such attacks will eventually crack a password. Meanwhile, excessive simultaneous page requests can lead to resource depletion and even denial-of-service (DoS) attacks. Programs can also automate tasks like account registration, login, or sending messages.

CAPTCHAs were introduced to counter such malicious activities (commonly performed by bots). CAPTCHA stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart.” It is a test designed to distinguish between humans and automated scripts.

Turing Test: Proposed by Alan Turing in 1950, this famous experiment is used to determine whether a machine exhibits intelligence comparable to, or indistinguishable from, that of a human. (Source: Wikipedia)

CAPTCHAs serve as a barrier, preventing brute force attacks that use scripts to repeatedly guess passwords. They also block bots from spamming websites with requests. Essentially, CAPTCHAs implement a “reverse Turing test” to separate humans from machines, which is how they originated.

Luis von Ahn, the creator of CAPTCHA, introduced this innovation. Yahoo was the first company to adopt CAPTCHAs, resolving a significant portion of spam email issues. CAPTCHAs have become popular ever since.

However, as the saying goes, “where there’s oppression, there’s resistance.” With CAPTCHAs acting as obstacles, attackers have devised methods to bypass them. These methods fall into two main categories:

• CAPTCHA Bypass
• CAPTCHA Recognition

CAPTCHA bypass exploits logical flaws in code by using techniques like parameter manipulation or XSS attacks to skip the CAPTCHA verification process altogether. CAPTCHA recognition, on the other hand, involves using tools or scripts to identify and solve CAPTCHAs, effectively nullifying their purpose.

5.2 Introduction to CAPTCHA Recognition

 

CAPTCHA recognition can be achieved through several methods, including:

1. User-visible answers

Some websites display CAPTCHA questions with their answers visible to users, making it simple for automated scripts to locate the answers in the HTML code and bypass the CAPTCHA.

2. Limited CAPTCHA variations

Many CAPTCHAs use images instead of text (since text can be inspected in the source code). However, if the number of images and their corresponding CAPTCHAs is limited and predictable, attackers can create a database of CAPTCHA-image mappings to automate recognition. Scripts can then use these mappings to solve CAPTCHAs by identifying the image name and applying simple logic (such as switch-case conditions).

3. Simple CAPTCHAs

In scenarios where CAPTCHAs have simple backgrounds and standard fonts, scripts can use techniques like image segmentation, binarization, noise removal, and character matching to recognize and solve them. For further details and implementations, refer to our recommended reading materials, which provide deeper insights into these methods.

To prevent CAPTCHA recognition:

• Avoid short CAPTCHAs
• Arrange letters/numbers in non-obvious patterns

Consequently, new CAPTCHA methods, like Google’s reCAPTCHA (with image identification or audio features), slide-based CAPTCHA validation (e.g., dragging a slider into place), and interactive image-based CAPTCHA tests (used by China’s 12306 railway system), have emerged.

# Translation

## Original Text
php
$_DVWA[ ‘recaptcha_public_key’ ] = ”;
$_DVWA[ ‘recaptcha_private_key’ ] = ”;

## Modified
php
$_DVWA[ ‘recaptcha_public_key’ ] = ‘6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg’;
$_DVWA[ ‘recaptcha_private_key’ ] = ‘6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ’;

Then, open your browser and enter `localhost/dvwa` in the address bar to access the initial setup page:

Click the button on the setup page to initialize the database:

The result after successful initialization looks as follows:

After initialization, the page will automatically redirect to the login page. Use the default username `admin` and password `password` to log into the system.

By following the above steps, you’ve successfully set up the DVWA platform.

—

We’ll use a plugin called **Tamper Data** when modifying parameters before submitting them to the server.

Use the following command to download the offline installation package:

bash
wget http://labfile.oss-cn-hangzhou.aliyuncs.com/courses/982/tamper_data-11.0.1-fx.xpi

Once downloaded, proceed with the plugin installation. In Firefox, there’s a settings menu represented by three horizontal lines in the upper-right corner. Use this menu to open Add-ons:

On the Add-ons page, select “Extensions”:

Choose the option to install from the local system:

2. In the list below, right-click anywhere and select New, then choose Boolean.

3. Enter the key-value pair name extensions.checkCompatibility.48.0, where “48.0” corresponds to the current version of Firefox.

4. After confirming, set the value to false and click OK.

Now you should be able to proceed with the installation.

5.2 Insecure CAPTCHA

In the updated version of DVWA, an “Insecure CAPTCHA” module has been introduced, along with an optimization of the Security Level settings. Instead of the original three levels (low, medium, high), a fourth level called “Impossible” has been added.

We’ll start learning from the low security level. First, navigate to DVWA Security settings and adjust the level from “Impossible” to “low”.

Next, go to the “Insecure CAPTCHA” section:

DVWA uses Google’s reCAPTCHA tool for CAPTCHA verification, which communicates with Google’s servers to fetch the CAPTCHA. However, due to network restrictions, the CAPTCHA may fail to load. The focus of this exercise is to bypass CAPTCHA verification, so even without the CAPTCHA being displayed, we can proceed. In a network-restricted environment, communication with Google’s servers halts entirely. However, in a network-enabled environment, the system may keep retrying the connection, leaving the page in a loading state. You can resolve this issue by disabling network access:

sudo vim resolv.conf

Add # at the beginning of each statement, save the file, and exit.

Reload the “Insecure CAPTCHA” page, and it will stop attempting to load.

Now, let’s attempt to modify the password:

Change the password to shiyanlou and click “Change”. You’ll encounter the following message:

The CAPTCHA was incorrect. Please try again.

This error occurs because no CAPTCHA input was provided. The missing CAPTCHA is due to reCAPTCHA failing to load.

Open the developer tools using F12 and select the “Network” tab. Attempt to change the password again, and you’ll notice several data packets being transmitted. Among them is a POST request:

Click on the data packet to view its details. Under the “Parameters” section, you’ll see the submitted parameters:

Four parameters are submitted: password_new (the new password), password_conf (password confirmation), change (the submit action), and step. What does step do?

Let’s examine the source code:

 The CAPTCHA was incorrect. Please try again.

“;
$hide_form = false;
return;
}
else {
// CAPTCHA was correct. Do both new passwords match?
if( $pass_new == $pass_conf ) {
// Show next stage for the user
echo “

 
 You passed the CAPTCHA! Click the button to confirm your changes.

“;
}
else {
// Both new passwords do not match.
$html .= “

 Both passwords must match.

 

Here is the translation of the content you provided while maintaining the formatting, HTML tags, and styles as requested.

$hide_form = false;
}
}
}

if( isset( $_POST[ ‘Change’ ] ) && ( $_POST[ ‘step’ ] == ‘2’ ) ) {
// Hide the CAPTCHA form
$hide_form = true;

// Get input
$pass_new = $_POST[ ‘password_new’ ];
$pass_conf = $_POST[ ‘password_conf’ ];

// Check to see if both password match
if( $pass_new == $pass_conf ) {
// They do!
$pass_new = mysql_real_escape_string( $pass_new );
$pass_new = md5( $pass_new );

// Update database
$insert = “UPDATE `users` SET password = ‘$pass_new’ WHERE user = ‘” . dvwaCurrentUser() . “‘;”;
$result = mysql_query( $insert ) or die( ‘

 ' . mysql_error() . '

‘ );

// Feedback for the end user
echo “

 Password Changed.

“;
}
else {
// Issue with the passwords matching
echo “

 Passwords did not match.

“;
$hide_form = false;
}

mysql_close();
}

?>

Through the source code, we can observe the entire logic as follows:

• Check if the change parameter exists and if the step value equals 1. If so:
  • Set the CAPTCHA display accordingly
  • Retrieve the new password
  • Check if the CAPTCHA key is set and functioning properly
• Check if the change parameter exists and if the step value equals 2. If so:
  
  
  
  • Set the CAPTCHA display accordingly
  
  
  • Retrieve the new password and check if the two match:
  
  
  • If they match, update the database password and display a “Password Changed” message
  • If they don’t match, output “Passwords did not match”

We can see from the process that when step=1 is called, the CAPTCHA is validated, and it checks if the two passwords match. However, at step=2, the CAPTCHA validation step is completely bypassed, leaving a vulnerability.

By directly submitting a step=2 parameter, we can bypass the CAPTCHA validation.

At this point, you can press the Alt key to open the menu bar, then select “Tools,” and open Tamper Data:

In the popup window, select Start Tamper in the top-right corner.

Next, return to the DVWA page and resubmit your password change request. This time, Tamper Data will intercept the request before it reaches the server, asking whether you want to modify or submit it. Choose Tamper:

Modify the step parameter to 2 in the Tamper Data popup, then submit:

Afterward, you’ll see a message asking for the Google reCAPTCHA key. There’s no need to modify this—just submit it as is. Follow the same process for the subsequent requests, and you’ll eventually see a “Password Changed” confirmation on the screen:

You can log out of the current account and log back in to confirm that the password has indeed been successfully changed.

The vulnerability lies in the lack of CAPTCHA validation when the parameter step=2 is passed. This allows an attacker to bypass the CAPTCHA input requirement.

In real-world scenarios, you often can’t inspect the source code, so you need to rely on packet capturing tools to observe what data is submitted during normal actions and deduce which parameters affect functionality. Then you can test using these observations to identify potential vulnerabilities. In this experiment, due to network issues, we couldn’t complete the full process step-by-step, but we demonstrated how to successfully bypass CAPTCHA validation.

Moving on to the “Medium” security level, we check the source code again. The only change is an additional parameter, passed_captcha, which checks whether the CAPTCHA was correctly completed.

However, even this can be bypassed by faking the parameter:

The source code shows:

     if( !$_POST[ 'passed_captcha' ] ) { 
        $html     .= "

 
 You have not passed the CAPTCHA.

“;
$hide_form = false;
return;
}

It simply checks whether the parameter exists. We just need to include this parameter to bypass the CAPTCHA. As a result, we still successfully changed the password.

For the “High” security level, try figuring out how to bypass it as a homework exercise.

The plain text content has been translated while retaining structure and original formatting through HTML. Let me know if further assistance is needed!

By analyzing the code in the impossible section, we can see that it first requires the current password to be entered, and it incorporates an Anti-CSRF token mechanism. This effectively prevents CSRF attacks. Additionally, the system has abandoned the two-step mechanism and utilizes PDO to prevent SQL injection.

As a result, this implementation comprehensively addresses nearly all potential security issues.

6. Summary

 

In this session, we learned the following topics. If there’s anything unclear, feel free to interact with us on the Shiyanlou Q&A platform:

• Introduction to CAPTCHA security
• Methods for ensuring CAPTCHA security
• Practical techniques to bypass verification

It is essential to ensure that you can complete the entire experiment hands-on. Simply reading the text might seem straightforward, but you will encounter various challenges during actual operations. Overcoming these challenges is where the real learning occurs.

Note: The environment for the next experiment is different from the one used in this chapter. Please do not continue using the current local environment.