Reproducing Recaptcha validation without digging the HTML source

Target website for today:

Take a look in the source of the page and you won't find the "sitekey" parameter anywhere. 

  1. Install Firebug extension for Firefox. It's available for Chrome as well, but it's WAY different there. Note that if you want Firebug to look like mine, install older version of Firefox 50.0.1 from here. In later versions Firebug looks disgusting.
  2. Go to target website and start Firebug on it. Toggle to tab "Net" and press "Persist" button.
  3. Start doing actions to make "I'm not robot" checkbox to appear. Don't check the box yet.
  4. Find a request to Google server which contains "k" parameter with the sitekey:

    Yes, this is the first time you'd actually see this sitekey, because I hid it in base64-encoded string in "POST grccd" output. Actually you don't have to worry about that, because usually sitekey is not changed too often. Changing it on daily basis would require some kind of... you won't believe... automation.. and probably solving some Google Recaptchas =). So next time you need to update it, simply open the Firebug and retrieve it in seconds.
  5. Now let's solve the puzzle and submit the form. 
  6. Check out requests to target website and find that long hash in one of the requests:

    Yes, probably it's the one. Click on "response" tab and copy/remember everything what JS might identify as successful recaptcha solution:

  7. Now, check out what happens if you submit some random string. Put random value in textarea with title "recaptcha hash".

  8. Submit the form and look into submit request parameters.
  9. Remember/copy the response. This is how it looks like when response hash is incorrect. Use this knowledge to understand if form submit was unsuccessful.

  10. Now you are ready to build your script or application which will automate form submission. Follow standart procedure to generate g-reponses for target website.