Skip to content

tgstat.ru Cloudflare capture (Managed challenge) #71

Open
Open
tgstat.ru Cloudflare capture (Managed challenge)#71
@WRFan

Description

@WRFan
WRFan
opened on Sep 6, 2024

When I try to access

tgstat.ru

e.g. this one:

https://tgstat.ru/channel/@MID_Russia

thru proxydomo proxy, I am getting a Cloudflare capture (Managed challenge):

https://developers.cloudflare.com/waf/reference/cloudflare-challenges/

and I can't pass it, I'm getting an error, no matter how many times I try. It really just happens on "tgstat.ru" websites, on all other Cloudflare protected pages I can pass the verification. But the actual problem is, if I don't use proxydomo on "tgstat.ru" (direct browser connection) or use another proxy (old Fiddler 4.6), then I don't get a capture page at all. Don't know if you can reproduce it, it seems to depend on IP among other things. It doesn't have anything to do with proxydomo filters, because I disabled everything and am still geting the Cloudflare capture page, and can't pass it. If I bypass the proxydomo (Bypass button) or add the following to bypass.txt:

tgstat.ru/(^?)

then it works, no capture page at all. Also, it only happens on "tgstat.ru", NOT on "uk.tgstat.com" or "tgstat.com". E.g., no capture page here:

https://uk.tgstat.com/channel/@stranaua

It has something to do with CONNECT (handshake). It seems proxydomo does something suspicious at this point that triggers the capture page. If I use Fiddler as remote proxy in proxydomo ("Use remote proxy"), then I can access the pages, no capture page. But if I use other proxies in proxydomo as remote proxy (apache "mod_proxy" proxy, e.g.), then it doesn't work, I am getting the Capture page, very strange. Seems apache "mod_proxy" Forward proxy works differently than Fiddler, because Fiddler decrypts traffic, so if Fiddler is used as remote proxy in proxydomo, it's actually Fiddler that does the CONNECT handshake to the remote page, but if I use apache "mod_proxy", apache just seems to forward whatever Proxydomo sends and doesn't connect itself. Here's what Fiddler is sending on CONNECT (using Fiddler as remote proxy in proxydomo, so browser -> Proxydomo -> Fiddler -> Remote Server, so Fiddler talking directly to remote server, NO capture page):

CONNECT tgstat.ru:443 HTTP/1.1
Host: tgstat.ru:443
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1851.0

Version: 3.3 (TLS/1.2)
Random: AE E5 27 15 0F 50 10 80 61 27 EE 51 8E 77 8A 4F A3 06 C4 ED BA 12 E9 3F F6 4A AE 69 AE 38 7A 48
"Time": 01.04.1981 03:23:58
SessionID: 7F 71 45 10 10 F3 87 A6 C3 30 5F 55 EC 7E 38 7E 84 2C CE 90 9B C0 1C 77 2E FE 99 5D 28 47 76 E0
Extensions:
	server_name	tgstat.ru
	ec_point_formats	uncompressed [0x0], ansiX962_compressed_prime [0x1], ansiX962_compressed_char2  [0x2]
	elliptic_curves	unknown [0x1D), secp256r1 [0x17], unknown [0x1E), secp521r1 [0x19], secp384r1 [0x18], unknown [0x100), unknown [0x101), unknown [0x102), unknown [0x103), unknown [0x104)
	SessionTicket	empty
	encrypt_then_mac (RFC7366)	empty
	extended_master_secret	empty

	signature_algs	sha256_ecdsa, sha384_ecdsa, sha512_ecdsa, Unknown[0x8]_Unknown[0x7], Unknown[0x8]_Unknown[0x8], Unknown[0x8]_Unknown[0x9], Unknown[0x8]_Unknown[0xa], Unknown[0x8]_Unknown[0xb], Unknown[0x8]_Unknown[0x4], Unknown[0x8]_Unknown[0x5], Unknown[0x8]_Unknown[0x6], sha256_rsa, sha384_rsa, sha512_rsa, sha224_ecdsa, sha224_rsa, sha224_dsa, sha256_dsa, sha384_dsa, sha512_dsa
	0x002b		08 03 04 03 03 03 02 03 01
	0x002d		01 01
	0x0033		00 24 00 1D 00 20 4B 55 7B E0 DA 85 82 0F 97 EE 14 F9 66 11 F3 CD E3 93 72 3D 1D 7F 38 0C CB AA 5A 96 E5 8E 49 7A
Ciphers:
	[1302]	TLS_AES_256_GCM_SHA384
	[1303]	TLS_CHACHA20_POLY1305_SHA256
	[1301]	TLS_AES_128_GCM_SHA256
	[C02C]	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
	[C030]	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	[009F]	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
	[CCA9]	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
	[CCA8]	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
	[CCAA]	TLS_DHE_RSA_WITH_CHACHA20_POLY1305
	[C02B]	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
	[C02F]	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	[009E]	TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
	[C024]	TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
	[C028]	TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
	[006B]	TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
	[C023]	TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
	[C027]	TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
	[0067]	TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
	[C00A]	TLS1_CK_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
	[C014]	TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
	[0039]	TLS_DHE_RSA_WITH_AES_256_SHA
	[C009]	TLS1_CK_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
	[C013]	TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
	[0033]	TLS_DHE_RSA_WITH_AES_128_SHA
	[009D]	TLS_RSA_WITH_AES_256_GCM_SHA384
	[009C]	TLS_RSA_WITH_AES_128_GCM_SHA256
	[003D]	TLS_RSA_WITH_AES_256_CBC_SHA256
	[003C]	TLS_RSA_WITH_AES_128_CBC_SHA256
	[0035]	TLS_RSA_AES_256_SHA
	[002F]	TLS_RSA_AES_128_SHA
	[00FF]	TLS_EMPTY_RENEGOTIATION_INFO_SCSV

Compression:
	[00]	NO_COMPRESSION

And this is what proxydomo is sending (browser - tried IE 11 and MS Edge -> Fiddler -> Proxydomo -> Remote Server, so Proxydomo talking directly to remote server, CAPTURE page):

CONNECT tgstat.ru:443 HTTP/1.1
Host: tgstat.ru:443
Proxy-Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.0.0 Safari/537.36 Edg/115.0.1851.0

Version: 3.3 (TLS/1.2)
Random: 09 BE 34 64 EF 84 3A 72 39 09 13 B7 BF DC BE EF 20 5D 91 44 99 B0 C6 E4 9D B2 BD 92 F1 01 CA EB
"Time": 11.04.2023 03:55:21
SessionID: E2 F3 3F C2 EA 91 11 6B 38 A1 90 F9 DA 2F CD A2 ED 0E F5 1D 35 FC 1D 52 09 95 EC 7F 82 6D 32 51
Extensions:
	0x9a9a		empty
	0x002b		06 CA CA 03 04 03 03
	signature_algs	sha256_ecdsa, Unknown[0x8]_Unknown[0x4], sha256_rsa, sha384_ecdsa, Unknown[0x8]_Unknown[0x5], sha384_rsa, Unknown[0x8]_Unknown[0x6], sha512_rsa
	status_request	OCSP - Implicit Responder
	renegotiation_info	00
	0x001b		02 00 02
	ec_point_formats	uncompressed [0x0]
	elliptic_curves	unknown [0x4A4A), unknown [0x1D), secp256r1 [0x17], secp384r1 [0x18]
	extended_master_secret	empty
	SessionTicket	empty
	0x4469		00 03 02 68 32
	0x0033		00 29 4A 4A 00 01 00 00 1D 00 20 1D 20 D8 D4 82 E2 F6 E5 00 C0 A3 37 2E B5 83 18 FE BD 25 BE 0E D2 9B A3 EB 71 54 4C 90 2F 19 4C
	ALPN		h2, http/1.1
	0x002d		01 01
	SignedCertTimestamp (RFC6962)	empty
	server_name	tgstat.ru
	0xfafa		00
	0x0029		00 C6 00 C0 5B 48 0C DB EF 91 4F C9 9F 9F 20 14 7D BC F1 41 30 47 95 04 BB D9 C2 88 5C B1 99 B6 9B 09 AA 71 CC 5A D0 FA DF 29 94 3B B9 0E 4B B9 A8 1A 32 A1 B1 D9 44 4E 7F 2D BB FA 37 57 EA 00 F3 D9 E6 6E C6 4F 94 EB FB A4 1E 96 08 2D 60 40 1F 0A 6A F5 D2 39 12 FA 8E 10 A2 9B 86 63 0C E4 F8 40 AC AF EC 29 41 9D F5 97 B5 B8 6B 7B 4F 2F A0 C5 3E 49 58 7E 2E 01 68 E6 0D D1 17 BF 30 E6 4A 86 CB 52 12 76 6B 87 C0 53 83 85 25 4B 73 71 21 2D 06 B1 F4 4C 79 82 23 55 FC CB 98 6B 6E 01 D4 0A 52 A1 11 61 1C B2 A9 FF 44 EE 28 28 04 24 AC C3 97 E1 17 36 B6 62 0F D2 E1 9C 8C BA D5 4B 1C 7F 07 04 B0 1B B2 D0 00 21 20 72 C9 3D D0 DB D6 3A 24 42 57 A4 16 48 CA 84 12 80 65 08 0B 84 BD 79 EF DF 72 E2 DC 11 C1 59 E3
Ciphers:
	[BABA]	(TLS GREASE RFC 8701)
	[1301]	TLS_AES_128_GCM_SHA256
	[1302]	TLS_AES_256_GCM_SHA384
	[1303]	TLS_CHACHA20_POLY1305_SHA256
	[C02B]	TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
	[C02F]	TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
	[C02C]	TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
	[C030]	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
	[CCA9]	TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
	[CCA8]	TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
	[C013]	TLS1_CK_ECDHE_RSA_WITH_AES_128_CBC_SHA
	[C014]	TLS1_CK_ECDHE_RSA_WITH_AES_256_CBC_SHA
	[009C]	TLS_RSA_WITH_AES_128_GCM_SHA256
	[009D]	TLS_RSA_WITH_AES_256_GCM_SHA384
	[002F]	TLS_RSA_AES_128_SHA
	[0035]	TLS_RSA_AES_256_SHA

Compression:
	[00]	NO_COMPRESSION

There are some differences, but nothing special. It's very strange, again, I can pass Cloudflare verifications on all other pages without problems, and without proxydomo, I am not getting a capture page on "tgstat.ru" at all

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions