Captcha Pentest Game is a unique, hands-on pentesting challenge designed as a hackathon-style playground for programmers. Built with passion and continuous improvements, this project challenges participants to automate a series of tasks where speed, ingenuity, and security awareness come together in solving increasingly tricky captcha challenges.
- Overview
- Project Concept
- Challenges
- Features & Functionality
- Architecture & Technologies
- User Roles & Administration
- Additional Details
- Repository with Solutions
- Acknowledgements
Captcha Pentest Game is not your everyday captcha challenge. Participants face a series of tasks where each task begins with the server generating a random 100-character string. To retrieve the captcha string piece by piece, users must request each symbol by solving a captcha. The twist? Every task intentionally includes a vulnerability — ranging from leaking the captcha answer or providing easily recognizable images — to encourage creative exploitation through scripting or bot automation.
This project is hosted on Heroku thanks to the GitHub Premium for Students program, making it accessible to anyone interested in learning and challenging themselves in cybersecurity and programming.
The game simulates a competitive pentest environment where users:
- Start a challenge: Initiate a task and receive a 100-character string (to be uncovered symbol by symbol).
- Retrieve symbols: Request individual characters by solving captchas.
- Submit solutions: Enter the reconstructed answer into a submission field.
- Exploit vulnerabilities: Every challenge is purposefully designed with security oversights (e.g., captcha answer leaks, predictable randomness, exploitable design flaws) to be discovered and automated.
The idea is to push participants to build a custom bot or script that automates the process — minimizing the solution time and maximizing efficiency.
There are currently 7 challenges implemented, each with its own flavor:
-
Problem 1: Security Issues
Simple images where the captcha answer is delivered along with the captcha. -
Problem 2: Lazy Server
Dynamic captchas with randomized filenames — but the server fails to remember which captcha was sent to the user. -
Problem 3: Fixed Font
A uniform captcha style with fixed zones for each digit. The captcha always contains two digits, identifiable by analyzing pixel counts in each designated area. -
Problem 4: Cyber Eyes
Captchas with noise and varying text positions, resolvable using OCR but not by the simple pixel-counting algorithm of Problem 3. -
Problem 5: Broken Random
More complex captchas generated using a predictable seed (e.g., Unix timestamp). By issuing multiple requests per second, users can deduce the captcha values. -
Problem 6: Binary Tree
A finite set of challenging captchas (from "00" to "99") presented in random order. Users are encouraged to use a binary tree or similar data structure for quick lookup after mass retrieval. -
Problem 7: Impossible
Dynamically generated captchas that include letters and apply various filters. Unique time-limited tokens are used to prevent rapid submissions. Only a human — or a very clever bot — might solve these, though it will take considerably longer.
Note: Challenges 1–3 offer "Simple Captchas" (fixed size/position, digits only), challenges 4–6 offer "Complex Captchas" (varying fonts, noise, but still digits), and challenge 7 brings "Impossible Captchas" (dynamic generation, inclusion of letters, additional filters).
-
Server-Side Rendering (SSR)
The frontend is built with SSR, ensuring fast page loads and a smooth user experience. -
Dynamic Animations
Enjoy engaging visual effects such as:- Matrix-style falling green 1’s and 0’s
- Randomly drifting snowflakes
These animations auto-enable based on the season but can be toggled off.
-
OAuth Authentication
Sign in seamlessly via Google or GitHub. -
Interactive Task Dashboard
- Task List: Each challenge is listed with details like task name, difficulty, overall success rate, best time, number of attempts, and more.
- Challenge Page: Includes buttons like "Start/Restart," "Send Answer," "Get Symbol" (for retrieving a character), and a live progress bar tracking your string assembly.
-
Leaderboard & User Attempts
- Global & Per-Challenge Leaderboards: Compare metrics such as solved tasks, best times, total attempts, etc.
- Attempt History: Review details for each attempt — start/end times, duration, partial answers, verdicts, and links to GitHub solutions if provided.
-
User Profile & Messaging
- Public profiles display avatars, usernames, registration dates, and custom badges (tags).
- Send messages to the developer, check your inbox, and manage your account settings (including updating avatars and personal information).
-
Moderation & Administration Tools
- Moderators can manage user avatars and solution attempts.
- Administrators have access to comprehensive user management, user tag creation/modification, and an immutable audit log of administrative actions.
-
Microservice Architecture & Caching
The project splits into an API domain (handling business logic, user management, captcha generation, etc.) and a web domain (client-side scripts, SSR pages, and styles). A simple in-memory caching strategy is implemented via MemoryCache. -
Unit Testing
The project is fortified with unit tests to ensure reliability and maintainability.
-
Frontend:
- SSR with dynamic HTML rendering
- Bootstrap for responsive design
- Animate.css for smooth animations
- JavaScript & jQuery (plus jQuery DataTables) for client interactivity
-
Backend:
- API-driven microservices architecture
- In-memory caching (MemoryCache) for performance
- Comprehensive unit testing for robust functionality
-
Authentication:
- OAuth integration with Google and GitHub
-
Deployment:
- Hosted on Heroku (enabled via GitHub Premium for Students)
The project supports a tiered user system:
-
User:
Access to challenges, profile customization, messaging, and attempt tracking. -
Moderator:
All user privileges plus:- Moderation of user avatars (with optional notifications and restrictions)
- Moderation of user attempts (ability to disqualify solutions)
- Managing incoming messages from users
-
Administrator:
Full control, including:- Comprehensive user administration (modify roles, ban/hide profiles)
- Creation and management of user tags (badges)
- Access to an immutable audit log documenting all administrative actions
Each role has access to a tailored interface, ensuring that users only see functionalities relevant to their permissions.
-
Dual-Domain Approach:
The project is split between an API domain (all server-side logic, data management, and captcha generation) and a client domain (serving SSR pages, scripts, and styles). -
Learning & Improvement:
Developed in late 2023, Captcha Pentest Game reflects the evolution of my skills. Though I have advanced since then, this project remains dear to me for its innovative design and playful yet challenging implementation. -
User Experience:
The project is designed to be educational, engaging, and fair — providing valuable insights into web security and automation. Whether you're a beginner or an experienced pentester, there's always a new challenge to conquer.
Curious about how some challenges were tackled? Check out the Captcha Pentest Game Solutions repository for sample approaches and implementations.
- Special thanks to the GitHub Premium for Students program for providing the resources that keep this project alive on Heroku.
- Gratitude to all participants who have challenged themselves and contributed feedback to improve the game.
- Lastly, a heartfelt thanks to everyone supporting my work — your encouragement fuels my passion for development and security.
For any questions, feedback, or further collaboration, please feel free to reach out. Happy hacking and may the best bot win!
Disclaimer: This project is intended for educational and ethical hacking purposes only. Always respect security and legal guidelines when testing or automating any system.