Challenge

Avalanche CTF

Avalanche CTF solution - Pentest - Information security assurance

The challenge

Avalanche is a petition/campaign website like 38 degrees or the UK.gov petitions site. It allows users to register, create campaigns, vote on other campaigns. Originally created for BSides Scotland in 2019, Avalanche is based on real-world vulnerabilities found during our penetration test and red team engagements. This has been on a mini tour since May and has been attacked by over a hundred CTF enthusiasts and the following hints have been provided at the live events:

  • It is implemented in Flask using python3, running on Ubuntu. 

We are choosing to put this online for the community to play with now.  

In and out of scope 

The scope is: 

  • Limited to the application available over HTTP on TCP port 80. 

Outside of scope: 

  • In real life you would not have local access to the VM.  
  • Solutions which would rely on local access are outside of scope i.e. analysis of the hard disk or tampering with boot process. 

Where is the flag? 

This was originally a live event, we decided to include a visible flag for the folks in the room. It was a race to get the phone number of Agent Chaos ably played by Sir Sean Connery as shown: 

Agent Choas - Avalanche CTF | Pentest - Information security assurance

Therefore, the goals are: 

  • Obtain app.db (sqlite database file) 
  • Identify agent chaos using these details: 
  • User ID > 1000 
  • About Me: includes word “Security” 
  • Phone Number: includes “075” 

This list will help you uniquely identify the details of Agent Chaos.

Getting Started 

  1. Download the Avalanche CTF from here 
  2. Import into Virtual Box. 
  3. Power on until you see the login screen (note the boot messages are suppressed so a black screen for around a minute is expected). 
  4. Hopefully DHCP has worked and you have access to a host-only interface. Try the URLs listed until one works. 

From that point it is a case of happy hunting! 

Avalanche CTF – The solution

Over 30 people managed to uncover the details of Agent Chaos, well done if you’re one of them! The official secrets act is now over and you are free to speak openly about your solutions.

The CTF is still available to try and if you have any questions regarding the solution please feel free to DM us via twitter

Looking for more than just a test provider?

Get in touch with our team and find out how our tailored services can provide you with the information security confidence you need.