I have issues trying to to sur pass this captcha part in my yahoo phishlet

Lula_Byi · October 11, 2024, 1:27pm

kindly need response on what to proxy to bypass that im willing to pay lil coin for this

fluxxset · October 11, 2024, 2:46pm

find request with /recaptcha/enterprise/anchor
and modify parameter co= with orignal domain on fly .

that should work .

6Kg1 · October 17, 2024, 10:04pm

Please go more In depth I’m having same issue send I used year previously haven’t been able to figure this out

You say the param co= in url for sub_filters or just pish sub please id app any help

fluxxset · October 18, 2024, 1:29pm

there is one request getting send to backend with /recaptcha/enterprise/anchor
and it has a get parameter co=xxxxxxx so you have to modify this value to orignal domain before it gets to backend so for this you have 1 option .

modify evilginx code to intercept GET requests and add ability to modify parameter value .

that will solve your issue .

luckywearer · October 22, 2024, 12:40pm

please how can modify evilginx code to intercept GET requests and add ability to modify parameter value .

that will solve your issue

mdexecutives · October 28, 2024, 11:18am

i am having the same problem with my yahoo phishlets which i think the configuration to get the recaptcha fixed might be like this, i haven’t try it tho.

{triggers_on: ‘login.yahoo.com’, orig_sub: ‘login’, domain: ‘google.com’, search: ‘co=aHR0cHM6Ly9sb2dpbi55YWhvby5uZXQ6NDQz’, replace: ‘co={hostname}’, mimes: [‘text/html’, ‘text/javascript’, ‘application/javascript’, ‘application/json’]}

i’m open to correction tho

fluxxset · October 30, 2024, 1:21pm

Modified code with force get support avilable in study material .

mdexecutives · October 31, 2024, 8:56am

Good morning Master Fluxxset, i will be paying for your course possibly today.

chaser560 · December 16, 2024, 5:46am

@mdexecutives did your configurations worked properly?

webrobocop · December 23, 2024, 1:11am

Hi bro i think i had same issue with my yahoo phishlet . whenever i enter my username i get this error.

fluxxset · December 23, 2024, 2:53am

Have I captured request in burp ?
How dose it looks ?
Is it sending to the proxied host or any other ?

Ryuk_Timo · January 9, 2025, 1:09am

@fluxxset You’re wrong! yahoo does not make any request with /recaptcha/enterprise/anchor, after the username is submitted they make a request to /account/challenge/recaptcha which is related to the iframe. Just checked with burp 2mins ago.

Ryuk_Timo · January 9, 2025, 1:12am

@fluxxset oh and btw if setup locally with self signed certs the phishlet works perfectly fine, which is probably the reason people think its still works in 2025 but once you move to a real domain and server recaptcha breaks the flow

fluxxset · January 9, 2025, 11:09am

okay , do you have solution for that ?

Hephzeebah_Imalla · January 15, 2025, 5:09pm

Can someone please explain for me i have same issue with yahoo, how can i bypass the capture or make it work properly

webrobocop · January 18, 2025, 3:25am

exactly bro. this issue only happens with real domains and server set up. If proxy with good proxy provider. it reduces the chance of getting the error. But some sturbborn username still does it. Please do you have fix for this.

Thanks

Ynot · March 6, 2025, 9:36pm

Hi Future Users,

@fluxxset was correct in his quick reply managing the /recaptcha/ enpoint. Altough I am not familiar with replacing the captcha parameters. I think it would be smartest to just complete the captcha presented. As this is also what the server expects.

Get siteKey

You can intercept the webpage req’s and will see enpoint /recaptcha/api2/anchor this will contain the siteKey a value set for domain’s corresponding to captcha service presented by google. Just like most other google key’s present accross webpage’s it’s static.

It will start with &k= , example url for random webpage; GET /recaptcha/api2/anchor?ar=1&k=6LdktRgnAAAAAFQ6icovYI2-masYLFjEFyzQzpix&co=aHR0cHM6Ly93d3cuZmJzYnguY29tOjQ0Mw..&hl=enGB&v=rW64dpMGAGrjU7JJQr9xxPl8&theme=dark&size=normal&cb=rtzxdhi47to3

Get Captcha Page URL

You will be able to find the captcha from the loaded url within webpage, once again use a network intercept tool. Most of the time the captcha will be loaded within a iframe .

Search for this iframe request, and it will once more contain /captcha/recaptcha/ within url enpoint.

Once you have found the request for loading captcha, you can confirm the captcha url by visiting the host + url, e.g;

www.fbsbx.com/captcha/recaptcha/iframe/?__cci=ig_captcha_iframe&compact=false&locale=en_GB&referer=https%253A%252F%252Fwww.instagram.com&dark_mode=true

( clicking above link will navigate to the active captcha site )

Find where captcha token is sent to server post req

Most of the time the solved captcha token will be sent a few requests further, this time the url will not indicate the token being used. Instead think logically where the token could be sent.

For instance the variable captcha_token= will most likely be used, and it ALWAYS is a POST req.

Because of the logic of how captcha’s are solved, anyone can do it and then return the captcha to you. Solved captcha tokens are valid for a entire domain, the only identifier is the domain.

So this allows service’s like anticaptcha to offer for very cheap to solve and return solved captcha’s tokens to you.

Send solved captcha token within req js_inject

Now I am quite sure you could just force the phishing page to send the solved captcha token with you’re request when phishing users. Completely bypassing the captcha needed, or even errors with captcha loading.

| @fluxxset please kindly verify this approach .