TryHackMe – Advent of Cyber – Day 16

TryHackMe - Advent of Cyber - Day 16

The challenge for Advent of Cyber Day 16 is super cool – using machine learning to defeat a captcha!

If you’ve been playing around with offensive security for any length of time, you know that generally encountering a captcha on a login page typically means that brute forcing will be difficult, if not impossible. Sometimes it’s still worth it to try manually entering credentials (for example if a known username has had their data breached, you can try variants on the breached password). However this will often take too much time and there are better things to try.

But what if we could use machine learning to defeat the captcha and brute force rapidly? The great thing about this method is that although it takes a long time to train the model, once it’s in place it can be used as a fast and reliable brute force assistant. It defeats the captcha so that we can again brute force using a large list of credentials.

I really liked this topic because it shows how useful machine learning can be in offensive security. Methods like these will only become more powerful and popular, and it will be a while before many companies catch up.

Advent of Cyber 2023 can be found at: https://tryhackme.com/room/adventofcyber2023

About This Walkthrough/Disclaimer:

In this walkthrough I try to provide a unique perspective into the topics covered by the room. Sometimes I will also review a topic that isn’t covered in the TryHackMe room because I feel it may be a useful supplement.

I try to prevent spoilers by requiring a manual action (highlighting) to obtain all solutions. This way you can follow along without being handed the solution if you don’t want it. Always try to work as hard as you can through every problem and only use the solutions as a last resort.

Walkthrough for TryHackMe Advent of Cyber Day 16

Question 1

What key process of training a neural network is taken care of by using a CNN?

Answer (Highlight Below):

Feature extraction

Question 2

What is the name of the process used in the CNN to extract the features?

Answer (Highlight Below):

Convolution

Question 3

What is the name of the process used to reduce the features down?

Answer (Highlight Below):

Pooling

Question 4

What off-the-shelf CNN did we use to train a CAPTCHA-cracking OCR model?

Answer (Highlight Below):

Attention OCR

Question 5

What is the password that McGreedy set on the HQ Admin portal?

This is where the actual hands-on-keyboard challenge starts.

I started the AOCR docker container:

docker run -d -v /tmp/data:/tempdir/ aocr/full
Starting the docker container Advent of Cyber Day 16
Starting the docker container Advent of Cyber Day 16
Starting the docker container Advent of Cyber Day 16

Then I ran docker ps to get the container’s information:

docker ps
Docker ps
Docker ps
Docker ps

Next I connected to the container using the container id:

docker exec -it <CONTAINER_ID> /bin/bash
Connecting to a docker container
Connecting to a docker container
Connecting to a docker container

We can see the base64 encoded version of the captcha if we run ‘curl http://hqadmin.thm:8000/’ in a new terminal window (it won’t work from inside the docker container):

Getting the captcha TryHackMe Advent of Cyber Day 16
Getting the captcha TryHackMe Advent of Cyber Day 16
Getting the captcha TryHackMe Advent of Cyber Day 16

We can see the datasets in the labels directory:

Listing the directory contents
Listing the directory contents
Listing the directory contents

Next I used aocr to train on the training.tfrecords dataset. This step isn’t necessary because the training has already been done, but I found it interesting to observe and learn about.

cd labels && aocr train training.tfrecords
Training a machine learning ML model
Training a machine learning ML model
Training a machine learning ML model

Further down the output, we can see the training steps:

Analyzing the results of ML training
Analyzing the results of ML training
Analyzing the results of ML training

As discussed in TryHackMe’s description, ‘loss’ represents the prediction error; the lower the better (although the possibility for overtraining on a dataset is real). ‘Perplexity’ represents the uncertainty of the prediction; it starts above 1 and the goal is to get it down to 1 (again, overtraining is possible however).

Now we can begin testing:

aocr test testing.tfrecords
Testing the ML model
Testing the ML model
Testing the ML model

At this point, we have trained and tested our model so we can export it:

cd /ocr/ && cp -r model /tempdir/

Finally I killed the docker container using:

docker kill <container id>

Then I started a serving container using the OCR model that I exported:

docker run -t --rm -p 8501:8501 -v /tmp/data/model/exported-model:/models/ -e MODEL_NAME=ocr tensorflow/serving

Then I ran the brute force script:

cd ~/Desktop/bruteforcer && python3 bruteforce.py

After a few seconds, the script identified valid credentials!

McGreedy password Advent of Cyber Day 16
McGreedy password Advent of Cyber Day 16
McGreedy password Advent of Cyber Day 16

Answer (Highlight Below):

ReallyNotGonnaGuessThis

Question 6

What is the value of the flag that you receive when you successfully authenticate to the HQ Admin portal?

To get the flag, all we need to do is visit http://hqadmin.thm:8000/ and login using the credentials that we just discovered.

Getting the flag Advent of Cyber Day 16
Getting the flag Advent of Cyber Day 16
Getting the flag Advent of Cyber Day 16

Answer (Highlight Below):

THM{Captcha.Can’t.Hold.Me.Back}