Reproducing Recaptcha validation without digging the HTML source

Target website for today:

Take a look in the source of the page and you won't find the "sitekey" parameter anywhere. 

  1. Go to target website and open developer tools in your browser. Toggle to tab "Network" and press "Persist" button.
  2. Start doing actions to make "I'm not robot" checkbox to appear. Don't check the box yet.
  3. Find a request to Google server which contains "k" parameter with the sitekey:

    This is the target sitekey and websites almost never replace it.
  4. Now let's solve the puzzle and submit the form. 
  5. Check out requests to target website and find that long hash in one of the requests:

    It's a token called "g-response". Click on "response" tab and copy/remember everything what JS might identify as successful recaptcha solution:

    Most browsers also support option "copy as CURL" which transforms all used headers, query parameters and post data into a command, which can run in terminal.
  6. Now, check out what happens if you submit some random string. Put random value in textarea with title "recaptcha hash".

  7. Submit the form and look into submit request parameters.
  8. Remember/copy the response. This is how it looks like when response hash is incorrect. Use this knowledge to understand if form submit was unsuccessful.

  9. Now you are ready to build your script or application which will automate form submission. Follow standart procedure to generate g-reponses for target website.