hCaptcha full bypass video

This video shows a full run of the hCaptcha bypass software, from creating a virtual machine through bypassing the hCaptcha challenge, without any human intervention. It's long and probably boring. There is no audio.

This attack requires a domain name controlled by the user and an AWS account. This demo consists of several stages. First, the AWS account is used to set up a small VM and associated cloud configuration via the "setup_env.sh" script. This script configures an AWS VM, including installing software. It also sets up an AWS Egress Gateway for the VM, which can be used to rotate the IP address the VM uses to communicate with the internet.
A user of the script would then set up DNS for the domain used in the attack to point to the VM. Then the user logs into the set up VM. The user here sets up a VNC session so that the attack can be seen, although a real attacker would not need to do so. Finally, the user runs the "handicaptcha.py" script, which performs the attack. In this case, that means automatically entering an email address, waiting for an email to arrive, extracting the login link from the email, getting a cookie, and using that cookie to bypass the hCaptcha challenge.

Video description: Starts with a title: "hCaptcha Bypass Demo". Next, a terminal window is shown in the upper right hand corner, over a grey background. The text "4xFF" appears in the upper left, indicating that the video is fast-forwarded. In the terminal window, the command "./setup_env.sh" is run. Much text related to creating a VM and installing packages and configuring various cloud elements scrolls past. At about 3 minutes into the video, a title card appears: "Not shown: Configuring DNS to point mail for the domain to the VM". The user starts TigerVNC so that the attack can be visually observed. A browser window is opened, which navigates to the hCaptcha accessibility signup page and inputs an email address. The page changes to a "thank you for signing up" page. Then it reopens to the hCaptcha homepage, scrolls through the page, and activates the "I am Human" checkbox on the hCaptcha widget, which checks without a challenge, indicating the user was certified as human, despite being automation software.