Challenge

Avalanche 2 CTF

Avalance 2 CTF - Pentest

The challenge

We are delighted to make Avalanche2 CTF available! It is the second appearance of the Avalanche CTF platform which is a petition/campaign website like 38 degrees or the UK.gov petitions site.

With Avalanche we are presenting a CTF challenge that has clear learning objectives for anyone trying it. To complete this you likely learn a few things along the way. It is also based on reality in two important ways:

·     In a genuine application assessment, a penetration tester must find vulnerabilities within otherwise secure targets. To simulate that the site has a full range of functionality. You are encouraged to interact with the site as a legitimate user would first. This is to discover the full range of functionality before seeking to exploit anything.

·       Each part of the exploit chain is something which is like vulnerabilities located and exploited by us during real-world engagements.

Some may find this trivial but there is also a fair bet that many could spend several hours or evenings.

Hints

Hint 1: Google “baking flask cookies”
Hint 2: Google “Flask tutorial”
Hint 3: The password is in the wordlist stored inside the web root.

Getting Started 

  1. Download the CTF from here
  2. We have provided a PDF guide to load this VM within VMWare/VirtualBox within the zip file downloaded above.

Where is the flag? 

Your challenge is to get the password for the user with administrative privileges.

Happy hunting to everyone

Avalanche 2 CTF – The solution

Many have tried, none have succeeded. So here it is, the moment you’ve all been waiting for. The solution to our Avalanche 2 CTF!

The CTF is still available to try and if you have any questions regarding the solution please feel free to DM us via twitter

Click here for the official solution to Avalanche 2 >

The latest research and insights from Pentest

Looking for more than just a test provider?

Get in touch with our team and find out how our tailored services can provide you with the information security confidence you need.

Contact us today >
Pentest - CREST Accreditation
Pentest ISO 9001 Accreditation
Pentest ISO 27001 Accreditation
Pentest - Cyber Essentials Plus Accreditation
Pentest - OSCP Accreditation

/contact Us

/connect

Twitter Linkedin-in Github Youtube

/services

/about

/links

Pentest Limited is registered in England and Wales with company number 11925182

Registered address: 22 Great James Street, London, WC1N 3ES

VAT registration No: 331802826​

© 2019 - Present. Pentest Limited. All rights reserved.