Challenge

The challenge We are delighted to make Avalanche2 CTF available! It is the second appearance of the Avalanche CTF platform which is a petition/campaign website like 38 degrees or the UK.gov petitions site. With Avalanche we are presenting a CTF challenge that has clear learning objectives for anyone trying it. To complete this you likely learn a few things along the way. It is also based on reality in two important ways: ·     In a genuine application assessment, a penetration tester must find vulnerabilities within otherwise secure targets. To simulate that the site has a full range of functionality. You are encouraged to interact with the site as a legitimate user would first. This is to discover the full range of functionality before seeking to exploit anything. ·       Each part of the exploit chain is something which is like vulnerabilities located and exploited by us during real-world engagements. Some may find this trivial but there is also a fair bet that many could spend several hours or evenings. Hints Hint 1: Google “baking flask cookies”Hint 2: Google “Flask tutorial”Hint 3: The password is in the wordlist stored inside the web root. Getting Started  Download the CTF from here We have provided a PDF guide to load this VM within VMWare/VirtualBox within the zip file downloaded above. Where is the flag?  Your challenge is to get the password for the user with administrative privileges. Happy hunting to everyone Avalanche 2 CTF – The solution Many have tried, none have succeeded. So here it is, the moment you’ve all been waiting for. The solution to our Avalanche 2 CTF! The CTF is still available to try and if you have any questions regarding the solution please feel free to DM us via twitter. Click here for the official solution to Avalanche 2 >

The challenge Avalanche is a petition/campaign website like 38 degrees or the UK.gov petitions site. It allows users to register, create campaigns, vote on other campaigns. Originally created for BSides Scotland in 2019, Avalanche is based on real-world vulnerabilities found during our penetration test and red team engagements. This has been on a mini tour since May and has been attacked by over a hundred CTF enthusiasts and the following hints have been provided at the live events: It is implemented in Flask using python3, running on Ubuntu.  We are choosing to put this online for the community to play with now.   In and out of scope  The scope is:  Limited to the application available over HTTP on TCP port 80.  Outside of scope:  In real life you would not have local access to the VM.   Solutions which would rely on local access are outside of scope i.e. analysis of the hard disk or tampering with boot process.  Where is the flag?  This was originally a live event, we decided to include a visible flag for the folks in the room. It was a race to get the phone number of Agent Chaos ably played by Sir Sean Connery as shown:  Therefore, the goals are:  Obtain app.db (sqlite database file)  Identify agent chaos using these details:  User ID > 1000  About Me: includes word “Security”  Phone Number: includes “075”  This list will help you uniquely identify the details of Agent Chaos. Getting Started  Download the Avalanche CTF from here  Import into Virtual Box.  Power on until you see the login screen (note the boot messages are suppressed so a black screen for around a minute is expected).  Hopefully DHCP has worked and you have access to a host-only interface. Try the URLs listed until one works.  From that point it is a case of happy hunting!  Avalanche CTF – The solution Over 30 people managed to uncover the details of Agent Chaos, well done if you’re one of them! The official secrets act is now over and you are free to speak openly about your solutions. The CTF is still available to try and if you have any questions regarding the solution please feel free to DM us via twitter.  Click here for the official solution to the Avalanche CTF >