2023 Secondary Vocational Group "Network Space Security" competition
XX city competition task book
1. Competition time _
Total: 180 minutes
2. Competition stage
| competition stage |
task stage |
competition task |
race time |
Score |
| The first stage of individual mode system penetration testing |
task one |
SSH weak password penetration testing |
100 minutes |
100 |
| task two |
Linux Operating System Penetration Testing |
100 |
||
| task three |
Remote Code Execution Penetration Testing |
100 |
||
| task four |
Middleware Penetration Testing |
150 |
||
| task five |
Windows operating system penetration testing |
100 |
||
| Preparation stage |
Offensive and defensive confrontation preparations |
20 minutes |
0 |
|
| The second stage of group confrontation |
System Hardening |
15 minutes |
300 |
|
| penetration testing |
45 minutes |
|||
3. Contents of the competition task book
(1 ) Topology map
(2 ) Task statement for the first stage (700 points)
Task 1: SSH weak password penetration test
Task environment description:
- Server scenario: Server18-2 (closed link)
- Server scenario operating system: Linux (unknown version)
- Use the zenmap tool in the local PC penetration testing platform Kali to scan the surviving host IP addresses and designated open ports 21, 22, and 23 within the network segment where Server18-2 is located (for example: 172.16.101.0/24). And submit the string that must be added in the command used by this operation as FLAG (ignore the ip address);
- Use the penetration testing platform Kali in the local PC to conduct a system service and version scanning penetration test on the server scenario Server18-2, and submit the service port information corresponding to the SSH service in the operation display result as a FLAG;
- Use the MSF module to blast it in the local PC penetration testing platform Kali, use the search command, and submit the name information of the weak password scanning module as FLAG;
- On the basis of the previous question, use the command to call the module, and view the information that needs to be configured (use the show options command), and will echo the target address that needs to be configured, the guessing dictionary used by the password, the thread, and the fields of the account configuration parameters Submit as FLAG (separated by English commas, such as hello, test, .., ..);
- Configure the IP address of the target machine in the msf module, and submit the first two words in the configuration command as FLAG;
- Specify the password dictionary in the msf module, the dictionary path is /root/desktop/tools/2.txt, the user name is test blasting to obtain the password and submit the obtained password as FLAG;
- On the basis of the previous question, use the password obtained in question 6 to SSH to the target machine, and submit the only string in the test user's home directory with the file name suffixed with .bmp picture as FLAG.
Task 2: Linux operating system penetration testing
Task environment description:
- Server scenario: Server2106 (close connection)
- Server scenario operating system: Linux (unknown version)
- Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the name of the only file with the suffix .bmp file in the /var/www directory of the scenario as the Flag value;
- Use the penetration testing platform Kali in the local PC to conduct a penetration test on the server scene, and submit the English words in the only picture file with the suffix .bmp in the /var/www directory of the scene as the Flag value;
- Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the name of the only file with the suffix .docx file in the /var/vsftpd directory of the scenario as the Flag value;
- Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the content of the only file with the suffix .docx in the /var/vsftpd directory of the scenario as the Flag value;
- Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the name of the only file suffixed with .pdf in the scenario/home/guest directory as the Flag value;
- Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the content of the only file with the suffix .pdf in the scenario/home/guest directory as the Flag value;
- Use the penetration testing platform Kali in the local PC to conduct a penetration test on the server scenario, and submit the name of the only file with the suffix .txt in the scenario/root directory as the Flag value;
- Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the content of the only file with the suffix .txt in the scenario/root directory as the Flag value.
Task 3: Remote Code Execution Penetration Testing
Task environment description:
- Server Scene: Server2128 (Open Link)
- Server scenario operating system: Windows
- Username: administrator, password: p@ssw0rd
- Find the file RCEBackdoor.zip in folder 1 on the desktop of the target machine, use the static decompilation tool IDA to analyze the program in the compressed package, analyze the target file according to the prompts, and use the range containing the malicious code base address offset as Flag value submission (submission form: 0x1000XXXX-0x1000XXXX);
- Continue to analyze the disassembled code, find out the key functions in the malicious code, and submit the function name used for string splicing as the Flag value; (submission form: echo())
- Continue to analyze the disassembled code, find out the key functions in the malicious code, and submit the parameter name used to format the string as the Flag value; (submission form: %*)
- Continue to analyze the disassembled code, find out the key functions in the malicious code, and submit the parameter name used for string parameter passing as the Flag value; (submission form: %*)
- Find the decode.py file in folder 1 on the Windows 7 desktop of the target machine and complete the file, fill in the four strings F1, F2, F3, and F4 that are vacant in the file, and use the spliced content of the four strings as Flag value submit;
- After executing decode.py, two files will be produced, the content in the second file will be analyzed and decoded, and all port numbers in the port list appearing in it will be arranged in ascending order as the Flag value (eg: 21 ,22,23,80) submit;
Task 4: Middleware penetration testing
Task environment description:
- Server Scene: Server2129 (closed link)
- Server scenario operating system: Windows
- Use the penetration testing platform Kali in the local PC to conduct a system service and version scanning penetration test on the server scenario Server2129 , and submit the service status information corresponding to port 80 in the operation display result as the Flag value;
- Obtain the user name starting with English "P" in the server2129 system of the target machine, and submit the user name as the Flag value;
- Find the network adapter information of the target machine Server2129 , and submit the preferred DNS server address as the Flag value;
- Find the file with the suffix .docx in the 111 folder on the desktop of the target machine Server2129 , and submit the document content as the Flag value;
- Find the document in the recycle bin of the target machine Server2129, and submit the content of the document as the Flag value;
- Find the C:\flag.txt file in the target machine Server2129, and submit the content of the file as the Flag value.
Task 5: Windows operating system penetration testing
Task environment description:
- Server Scene: Server2124 (closed link)
- Server scenario operating system: Windows (unknown version)
1. Perform system service and version scanning penetration testing on the server scenario Server2 through the penetration testing platform Kali in the local PC, and submit the service version information corresponding to port 1433 in the operation display result as the Flag value (for example, 3.1.4500);
2. Conduct system service and version scanning penetration tests on the server scenario Server2 through the penetration testing platform Kali in the local PC, and submit the fully qualified domain name of the host of the DNS server as the Flag value;
3. Submit the password of the low-privileged (unable to execute command system commands through the database) user of the SQL-Server database in the target server as the Flag value;
4. Submit the password of the user with higher authority in the SQL-Server database in the target server (the system command can be executed through the database command) as the Flag value;
5. Find the file with the suffix .docx in the 266437 folder in the C:\Windows\system32 folder, and submit the document content as the Flag value;
(3 ) Task statement for the second stage (300)
Assume that each contestant is an information security engineer of an e-commerce company and is responsible for the security protection of some servers of the company. There may be various problems and loopholes in the server. You need to harden the security of the server as soon as possible. After 15 minutes, players from other teams will infiltrate these servers.
According to the information of the second stage provided by the "Playground Parameter Table", please use the PC's Google browser to log in to the actual combat platform.
Target machine server environment description:
Scenario 1: HZBJ (version unknown);
Precautions:
1. The referee server cannot be attacked. If the attack continues after one warning, the team will be ordered to leave the field;
2. The Flag value is the unique identifier of each target machine server, and each target machine server has only one;
3. The Flag value of the target machine server is stored in the /root/flagvalue.txt file or the C:\flagvalue.txt file;
4. After logging in to the automatic scoring system, submit the Flag value of the opponent’s target machine server, and at the same time specify the IP address of the opponent’s target machine server;
5. When the system is hardened, it is necessary to ensure the availability of the external services provided by the target machine. The service can only change the configuration, and the content is not allowed to be changed;
6. This session is a confrontation session, no stoppage time will be given.
The list of possible vulnerabilities is as follows:
1. Vulnerabilities in the server may be conventional or system vulnerabilities;
2. There may be a command injection vulnerability in the website on the target machine server. Players are required to find the relevant vulnerability of command injection and use this vulnerability to obtain certain permissions;
3. There may be a file upload vulnerability on the website on the target machine server. Players are required to find the relevant vulnerability in file upload and use this vulnerability to obtain certain permissions;
4. There may be loopholes in the files contained in the website on the target machine server. Players are required to find the relevant loopholes contained in the files and combine them with other loopholes to obtain certain permissions and elevate their rights;
5. The service provided by the operating system may contain a remote code execution vulnerability, requiring the user to find the remote code execution service and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to obtain system privileges;
7. There may be some system backdoors in the operating system. Players can find the backdoors and use the reserved backdoors to directly obtain system permissions.