Challenge

Avalanche 2 CTF

Avalance 2 CTF - Pentest

The challenge

We are delighted to make Avalanche2 CTF available! It is the second appearance of the Avalanche CTF platform which is a petition/campaign website like 38 degrees or the UK.gov petitions site.

With Avalanche we are presenting a CTF challenge that has clear learning objectives for anyone trying it. To complete this you likely learn a few things along the way. It is also based on reality in two important ways:

·     In a genuine application assessment, a penetration tester must find vulnerabilities within otherwise secure targets. To simulate that the site has a full range of functionality. You are encouraged to interact with the site as a legitimate user would first. This is to discover the full range of functionality before seeking to exploit anything.

·       Each part of the exploit chain is something which is like vulnerabilities located and exploited by us during real-world engagements.

Some may find this trivial but there is also a fair bet that many could spend several hours or evenings.  

Hints

Hint 1: Google “baking flask cookies”
Hint 2: Google “Flask tutorial”
Hint 3: The password is in the wordlist stored inside the web root.

Getting Started 

  1. Download the CTF from here
  2. We have provided a PDF guide to load this VM within VMWare/VirtualBox within the zip file downloaded above.

Where is the flag? 

Your challenge is to get the password for the user with administrative privileges.

If you think you have figured out the password, then well done to you! Please respect that others will still be trying so we politely request you keep the method and flag secret. We will publish an official solution by February 2020. After that you can freely discuss how you tackled it.

We appreciate you would like feedback sooner than that so follow and then ping a direct message to @PentestLtd on Twitter. We can confirm if you retrieved the correct flag and have a chat about how you did it.

Happy hunting to everyone.

Avalanche 2 CTF – The solution

Many have tried, none have succeeded. So here it is, the moment you’ve all been waiting for. The solution to our Avalanche 2 CTF!

The CTF is still available to try below and if you have any questions regarding the solution please feel free to DM us via twitter

Looking for more than just a test provider?

Get in touch with our team and find out how our tailored services can provide you with the cybersecurity confidence you need.