Avalanche is a petition/campaign website like 38 degrees or the UK.gov petitions site. It allows users to register, create campaigns, vote on other campaigns etc.
Originally created for BSides Scotland in 2019 this has been on a mini tour since May and has been attacked by over a hundred CTF enthusiasts.
The following hints have been provided at the live events:
- It is implemented in Flask using python3, running on Ubuntu.
We are choosing to put this online for the community to play with now. It will remain our current challenge until Friday 13th of September.
Note: please do not share any solutions online until after the official solution is published. Keep an eye on PentestLtd on Twitter for the solution.
In and out of scope
The scope is:
- Limited to the application available over HTTP on TCP port 80.
Outside of scope:
- In real life you would not have local access to the VM.
- Solutions which would rely on local access are outside of scope i.e. analysis of the hard disk or tampering with boot process.
Where is the flag?
This was originally a live event, we decided to include a visible flag for the folks in the room. It was a race to get the phone number of Agent Chaos ably played by Sir Sean Connery as shown:
Therefore, the goals are:
- Obtain app.db (sqlite database file)
- Identify agent chaos using these details:
- User ID > 1000
- About Me: includes word “Security”
- Phone Number: includes “075”
This list will help you uniquely identify the phone number of one user so that you can call it.
- Download the Avalanche CTF from here
- Import into Virtual Box.
- Power on until you see the login screen (note the boot messages are suppressed so a black screen for around a minute is expected).
- Hopefully DHCP has worked and you have access to a host-only interface. Try the URLs listed until one works.
From that point it is a case of happy hunting! If you do solve the challenge please respect the amnesty around posting the solution publicly until after the 13th September.
Think you solved it?
If you want to submit how you found and solved the challenge to us to validate it then DM us on twitter.