Can MitM attack be avoided without using a 3rd party?

There is no need to use a CA, even with HTTPS. You can simply use a self-signed certificate on the server if you provide the client with a copy or similar (i.e. fingerprint) of this certificate in a secure (tamper proof) way before the client connects to the server so that the client can verify that it talks to the expected server. If the client can not verify the server man in the middle attacks are possible.

The concept of CA signed certificates (i.e. public key infrastructure (PKI)) is only created because sharing a self-signed leaf certificates with all parties does not scale. With CA the browser/OS has a list of trust anchors (root certificates) and can derive the trust to a server certificate based on a trust chain from the trusted root to the leaf certificate. Because of this mechanism only the trusted root CA need to be shared but not every possible server certificate.

Apart from a pre-shared certificate or similar public information (like a SSH server fingerprint) MITM resistant connections can also be established by using a shared secret on both sides. That's the typical case in home Wifi protected with WPA.

Limited protection against MITM is achieved with Trust On First Use (TOFU). In this case the identity of the peer is saved from the first connection and applied to the following connections in the hope that the attacker was not present on the first connection, i.e. that the identity received was the true identity of the expected peer. This is done for example if one accepts a self-signed certificate in HTTPS.