What is a captchaToken and how do I get it ?

[Evi1Grey5]

To get a captchaToken and successfully bypass the captcha, you must first find a sitekey on the site - this is a unique key linking the captcha specifically to this site. This key is then sent to the captcha solution service, where the captcha is solved, and the captchaToken is returned at the output. We insert this captchaToken into the request to the site in order to pass verification and successfully gain access.

Thus, the site believes that the captcha was solved by a real user, and allows entry. Below there will be some terminology and the procedure for fixing it.

What is a captchaToken ?
The captchaToken is a unique code that confirms that the captcha has been solved. It is necessary for the site to "believe" that a real user is visiting, and not a bot. After successfully solving the captcha, we get a captchaToken and can use it to log in to the site.

What is sitekey?
A Sitekey is a static (NOT DYNAMIC) key that binds a captcha to a specific site. It is on every page with a captcha and is located in the HTML code / or in queries (network monitor). The site uses this key to "request" a captcha from a service, for example, reCAPTCHA from Google.

The process of bypassing the captcha briefly (theory):
Step 1: Find the sitekey on the page where the login takes place (in the HTML code of the page, or in queries).
Step 2: Send sitekey to the captcha solution service (for example, Captcha or CaptchaGuru). The service resolves the captcha and returns the captchaToken.
Step 3: Insert the received captchaToken into the login request. The site accepts the token, assuming that the captcha has been solved by the user.

We are looking for the site key for further use.
_On some sites, sitekey is stored directly in the HTML code of the page where the captcha is located. But this does not work on all sites, for example, for our current goal, the sitekey is NOT LOCATED directly in the page code.

And so we are looking for it according to the method from the second article, only instead of "CSRF" in the response from the GET request to the authorization page, we are looking for "data-sitekey" or "sitekey". That's where the differences end, so I don't see the point in explaining it a hundred times._

Search for the SITE KEY in queries.

For our current goal, it is just possible to catch sitekey in queries. To do this, we need to:
Update the authorization page (F5). This is necessary to reset the captcha we have already solved (we solved it when we "logged in" to the account at step 1.1).
Open the network screen (CTRL + SHIFT + E).​
Click on the captcha to open the captcha solution window.​

We see in the network screen that a POST request for a domain is coming from our browser www.google.com in which the link contains data in the form of "reload?k=6LfBxPscAAAAAG8AqZKXuT-VLhng8QVFCnNf"​

You can perform all the actions at this stage several times and make sure that this key always remains the same!

We get the captchaToken in OpenBullet 2 and save it to a variable.

So, we have already realized that our sitekey is on the site www.domain.com this is "6LfBxPscAAAAAG8AqZKXuT-VLhng8QVFCnNfq1eU".

Now let's get the captchaToken using this key.

Our actions:

• Creating a config for our website.​
• We write USERNAME and PASSWORD to variables.
• We get a random Windows user agent and save it to the USER_AGENT variable.
• Go to the "Captchas" section and select the "Solve reCAPTCHA V2" cube

Now in the settings of "Solve reCAPTCHA V2" we write the following:

• Output Variable - we write RECAPTCHA_RESULT, the captchaToken that we receive from CaptchaGuru will be saved to this variable.
• Site Key - 6LfBxPscAAAAAG8AqZKXuT-VLhng8QVFCnNfq1eU
• Site Url - here we write https://domain/app/login . This should be a login page that has a captcha.
• User Agent - write <USER_AGENT> and select the mode of working with variables.

let's also discuss the "Enterprise", "Is Invisible" and "Use Proxy" checkboxes

• Enterprise - Captcha Enterprise uses advanced behavior analysis and a risk assessment system, integrates with other security measures, and is often invisible to the user. It can be distinguished by specific tags in the code and a larger number of requests to the captcha server. Always try it first without this check mark, it is rarely needed anywhere.
• Is Invisible - Set this checkbox only if there is no captcha visually on the page with the login form, but there is a requirement to solve the captcha (CaptchaToken required) after sending a POST authorization request.
• Use Proxy - This checkbox is when we want to proxy requests to the captcha solution service. That is, the captcha solution and the subsequent login from the account will occur from the same IP!