I recently decided to check out the BackdoorCTF challenge. This is the writeup for the Web 150 challenge named "bf-captcha-revenge".

The webpage:

Upon opening the page, I recognized the "brain-fucking" string as a hint to the Brainfuck language. Running the string through a brainfuck interpreter, I got the following variaties of decoded output:

The expressions evaluate to very large numbers which, when computed and entered with a correct captcha, allow you to progress to the next set of brainfuck+captcha challenge. I was given the first captcha for free, but after getting through one captcha and decoding, I had to decipher the audio myself to progress. The audio is sped up quite a bit, but can be slowed down to a decipherable speed using Firefox or opening the file with VLC. I was actually able to get through 16 rounds manually without error. While trying to solve it manually, I realized that one of the audio files that I saved was a duplicate. The file names appear to be MD5 hashes of something, but they are unique, so it's possible to scrape the initial page with the "free" captcha number many times and create a mapping of all audio file names to their known integer values. Enter Python requests:

I had to run this for about 45 minutes to accumulate enough mappings to feed the fully automated solver. I ended up with 996 unique mappings.

The brainfuck code can be deciphered in Python and saved to a string using one of the many libraries available (I ended up using pybrainfuck). After many failed of attempts of string parsing, I wrote the following automated solver which reads the mapping created by the previous script, parses and evaluates the brainfuck code and submits the data via POST. This needed to be sessionized to retain progress to advance to the next round.

In conclusion, the challenge required 499 succesful solves, and on the 500th round, it prints the flag: