Member-only story

THM - CAPTCHApocalypse

3 min readJun 23, 2025

A writeup for the room CAPTCHApocalypse on TryHackMe

When crypto interferes, automate.

What is the flag?

The challenge involves a brute force attack of a simple login form.

We know the username is ‘admin’ and the password is one of the first 100 entries in the RockYou list.

We cannot simply use a tool like Hydra because we must satisfy multiple security checks, particularly a CAPTCHA and a CSRF token.

For this reason, it is easier to run the brute force attack using a browser automation tool like Selenium through a Python script.

This room is based on a recent walkthrough regarding custom tooling and browser automation.

Most of the necessary code can be found in the provided example in the related room.

So, completing the walkthrough first can make it much easier to understand how to solve this challenge.