Avalanche is a petition/campaign website like 38 degrees or the UK.gov petitions site. It allows users to register, create campaigns, vote on other campaigns etc.
This has been on a mini tour since May and has been attacked by over a hundred CTF enthusiasts and the following hints have been provided at the live events:
- It is implemented in Flask using python3, running on Ubuntu.
We are choosing to put this online for the community to play with now.
In and out of scope
The scope is:
- Limited to the application available over HTTP on TCP port 80.
Outside of scope:
- In real life you would not have local access to the VM.
- Solutions which would rely on local access are outside of scope i.e. analysis of the hard disk or tampering with boot process.
Where is the flag?
This was originally a live event, we decided to include a visible flag for the folks in the room. It was a race to get the phone number of Agent Chaos ably played by Sir Sean Connery as shown:
Therefore, the goals are:
- Obtain app.db (sqlite database file)
- Identify agent chaos using these details:
- User ID > 1000
- About Me: includes word “Security”
- Phone Number: includes “075”
This list will help you uniquely identify the details of Agent Chaos.
- Download the Avalanche CTF from here
- Import into Virtual Box.
- Power on until you see the login screen (note the boot messages are suppressed so a black screen for around a minute is expected).
- Hopefully DHCP has worked and you have access to a host-only interface. Try the URLs listed until one works.
From that point it is a case of happy hunting!
It’s the moment you’ve all been waiting for. The solution to our Avalanche CTF is now live! Please click the link below to view the PDF.
Over 30 people managed to uncover the details of Agent Chaos, well done if you’re one of them! The official secrets act is now over and you are free to speak openly about your solutions.
The CTF is still available to try below and if you have any questions regarding the solution please feel free to DM us via twitter.