2022 Guangxi Zhuang Autonomous Region 2nd Vocational Skills Competition "Network Security Project" Competition Mission Statement

The Second Vocational Skills Competition of Guangxi Zhuang Autonomous Region in 2022

"Network Security Project" Competition Mission Statement

1. Competition time

Total: 12 hours

• competition stage

competition stage	task stage	competition task	race time	Score
A	A-1	Login Security Hardening	240 minutes	350 points
	A-2	Local Security Policy Configuration
	A-3	Traffic Integrity Protection
	A-4	event monitoring
	A-5	Service hardening
B	B-1	Windows operating system penetration testing	240 minutes	350 points
	B-2	Linux Operating System Penetration Testing
	B-3	Information Forensic Analysis
	B-4	Cyber ​​Security Incident Response
	B-5	code audit
	B-6	Emergency Response
C	C module	CTF Capture the Flag - Attack	240 minutes	300 points

3. Contents of the competition task book

(1) Topology map

 

(2) Infrastructure Setting/Security Hardening of Module A (350 points)

1. Project and task description:

Assume that you are a network security engineer of an enterprise. For the server system of the enterprise, ensure the normal operation of each service according to the task requirements, and through the comprehensive use of login and password policies, flow integrity protection policies, event monitoring policies, firewall policies and other security Strategies to enhance the network security defense capabilities of the server system.

2. Server environment description

AServer06 (Windows) system: username administrator password P@ssw0rd

AServer07 (Linux) system: user name root password 123456

3. Description:

1. All screenshots require the screenshot interface and font to be clear, and be pasted at the position required by the corresponding topic;

2. File name naming and saving: network security module A-XX (XX is the station number), save in PDF format;

3. Save the file to the U disk and submit.

A-1 : Login Security Hardening (Windows, Linux)

Please set up the server Windows and Linux according to the requirements to improve the security of the server.

1. Password Policy (Windows, Linux)
   1. The password policy must meet the requirements of uppercase and lowercase letters, numbers, and special characters (Windows), and the screenshot of the attribute configuration interface that the password must meet the complexity requirements:
   2. The password policy must satisfy both uppercase and lowercase letters, numbers, and special characters (Linux). Take a screenshot of the corresponding part in the /etc/pam.d/system-auth configuration file:
   3. The minimum password length is no less than 8 characters (Windows), and the screenshot of the attribute configuration interface for the minimum password length is as follows:
   4. The minimum password length should be no less than 8 characters (Linux), and take a screenshot of the corresponding part in the /etc/login.defs configuration file:
2. login policy
   1. Set the account lockout threshold to 6 false lockouts, the lockout time to 1 minute, reset the account lockout counter to 1 minute later (Windows), and take a screenshot of the account lockout policy configuration interface:
   2. Only 5 login failures are allowed within one minute. If more than 5 times, the login account will be locked for 1 minute (Linux). Take a screenshot of the corresponding part of the /etc/pam.d/login configuration file:
3. User Security Management (Windows)
   1. Forbid sending unencrypted passwords to third-party SMB servers, and set a screenshot of the property configuration interface of Microsoft network client: Send unencrypted passwords to third-party SMB servers:
   2. Disable the guest account, prohibit the guest user from accessing the computer or the built-in account of the domain, and set the account: guest account status property configuration interface screenshot:

A-2: Local Security Policy Settings (Windows)

1. Clear the virtual memory paging file when shutting down the system, it will shut down: Screenshot of the property configuration interface of clearing the virtual memory paging file:
2. Prohibit the system from shutting down without logging in, and shut down: Allow the system to shut down without logging in. A screenshot of the property configuration interface:
3. Forbid floppy disk copy and access to all drives and all folders, will restore console: Allow floppy disk copy and access to all drives and all folders property configuration interface screenshot:
4. Forbid displaying the user name of the last login, interactive login: do not display the screenshot of the property configuration interface of the last user name:

A-3: Traffic Integrity Protection (Windows, Linux)

1. Create the www.chinaskills.com site, and create a homepage named chinaskills.html in the C:\web folder. The homepage displays the content "Warmly celebrate the opening of the Vocational College Skills Competition in 2022". At the same time, only SSL is allowed and only Use a domain name (the domain name is www.test.com) to access, and a screenshot of the configuration interface for binding the website:
2. In order to prevent the password from being stolen during login or transmission information, only use the certificate to log in to SSH (Linux), and take a screenshot of the corresponding part of the /etc/ssh/sshd_config configuration file: 

A-4: Event Monitoring (Windows)

1. When the maximum size of the application log file reaches 65M, it will be archived, and the event will not be overwritten. Screenshot of the log property-application (type: managed) configuration interface:

A-5: Service Hardening SSH\VSFTPD\IIS (Windows, Linux)

1. SSH service hardening (Linux)
   1. SSH prohibits the root user from remotely logging in, and screenshots of the corresponding part in the /etc/ssh/sshd_config configuration file:
   2. Set up scheduled tasks for the root user. The SSH service is automatically started at 7:50 every morning and shut down at 22:50; the SSH service is restarted every Saturday at 7:30, and the command crontab -l is used to display a screenshot of the result;
   3. Modify the SSH service port to 2222, use the command netstat -anltp | grep sshd to view the SSH service port information, and echo the screenshot of the result;
2. VSFTPD Service Hardening (Linux)
   1. Set the timeout period of the data connection to 2 minutes, and take a screenshot of the corresponding part in the /etc/vsftpd/vsftpd.conf configuration file:
   2. Set the maximum transmission rate for local user access at the site to 1M, and take a screenshot of the corresponding part in the /etc/vsftpd/vsftpd.conf configuration file:
3. IIS Hardening (Windows)
   1. To prevent the file enumeration vulnerability from enumerating the root directory files of the web server, and prohibit the leakage of IIS short file names, take a screenshot of the configuration command:
   2. Turn off the WebDAV function of IIS to enhance the security of the website, and take a screenshot of the alert message:

(3) Module B Security Incident Response/Network Security Data Forensics/Application Security (350 points)

B-1: Windows Operating System Penetration Testing

Task environment description:

• Server scenario: Server2003
• Server scenario operating system: Windows7

1. Use the penetration testing platform Kali in the local PC to perform system service and version scanning penetration testing on Windows in the server scenario, and submit the port number corresponding to the Telnet service in the operation display result as FLAG;
2. Use the penetration testing platform Kali in the local PC to conduct a penetration test on the server scenario Windows, use hydra in Kali to brute force the server Telnet service (user name is teltest), and submit the necessary parameters used by hydra as FLAG (for example: nmap -s -p 22); (dictionary path /usr/share/wordlists/dirb/small.txt)
3. Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario Windows, use hydra in Kali to brute force the server Telnet service (user name is teltest), and submit the successfully cracked password as FLAG; (dictionary path /usr/ share/wordlists/dirb/small.txt)
4. Use the penetration testing platform win7 in the local PC to conduct a penetration test on the server scene Windows, and the account password obtained has remote desktop permissions. Use the reg related command to extract the sam file in the scene system, and submit the complete command as FLAG;
5. Use the penetration testing platform win7 in the local PC to perform a penetration test on the server scene Windows, and the obtained account password has remote desktop permissions. Use the reg related command to extract the system file in the scene system, and submit the complete command as FLAG;
6. Use the penetration testing platform win7 in the local PC to conduct a penetration test on the server scene Windows, extract the sam file and system file to the local, use the desktop mimikatz tool to extract the teltest password information, and submit the command to extract the information as FLAG;
7. Use the penetration testing platform win7 in the local PC to conduct a penetration test on the server scene Windows, extract the sam file and system file to the local, use the desktop mimikatz tool to extract the administrators password information, and submit the extracted hash value as FLAG;

B-2: Linux Operating System Penetration Testing

Task environment description:

• Server scenario: Server2106 (closed link)
• Server scenario operating system: Linux (unknown version)

1. Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the name of the only file with the suffix .bmp file in the /var/www directory of the scenario as the Flag value;
2. Use the penetration testing platform Kali in the local PC to conduct a penetration test on the server scene, and submit the English words in the only picture file with the suffix .bmp in the /var/www directory of the scene as the Flag value;
3. Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the name of the only file with the suffix .docx file in the /var/vsftpd directory of the scenario as the Flag value;
4. Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the content of the only file with the suffix .docx in the /var/vsftpd directory of the scenario as the Flag value;
5. Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the name of the only file suffixed with .pdf in the scenario/home/guest directory as the Flag value;
6. Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the content of the only file with the suffix .pdf in the scenario/home/guest directory as the Flag value;
7. Use the penetration testing platform Kali in the local PC to conduct a penetration test on the server scenario, and submit the name of the only file with the suffix .txt in the scenario/root directory as the Flag value;
8. Use the penetration testing platform Kali in the local PC to perform a penetration test on the server scenario, and submit the content of the only file with the suffix .txt in the scenario/root directory as the Flag value.

B-3: Information Forensic Analysis

Task environment description:

• Server scenario: FTPServer220817
• Server scenario operating system: unknown (closed target machine)
• FTP username: wireshark0051 password: wireshark0051

1. Download the wireshark0051.pcap data packet file from the FTP of the target machine server, find out the account password obtained by the hacker that can successfully log in to the FTP server of the target server, and use the account password obtained by the hacker as the Flag value (between the user name and the password Separated by English commas, for example: root, toor) to submit;
2. Continue to analyze the data packet wireshark0051.pcap, find out the time when the hacker used the obtained account password to log in to FTP, and submit the time when the hacker logged in to FTP as the Flag value (for example: 14:22:08);
3. Continue to analyze the data packet wireshark0051.pcap, find out the FTP service version number obtained when the hacker connects to the FTP server, and submit the obtained FTP service version number as the Flag value;
4. Continue to analyze the data packet wireshark0051.pcap, find out the first command executed by the hacker after successfully logging in to the FTP server, and submit the executed command as the Flag value;
5. Continue to analyze the data packet wireshark0051.pcap, find out the key files downloaded by the hacker after successfully logging in to the FTP server, and submit the downloaded file name as the Flag value;
6. Continue to analyze the data packet wireshark0051.pcap, find out the username and password that the hacker successfully cracked the Telnet service of the target server and successfully obtain, and use the obtained username and password as the Flag value (the username and password are separated by English commas) , for example: root, toor) submit;
7. Continue to analyze the data packet wireshark0051.pcap, find out the file added by the hacker in the root directory of the server website, and submit the file name of the file as the Flag value;
8. Continue to analyze the data packet wireshark0051.pcap, find out the users added by the hacker in the server system, and submit the added user names and passwords as Flag values ​​(the user names and passwords are separated by English commas, for example: root, toor).

B-4: Cybersecurity Incident Response

Task environment description:

• Server scenario: Server2215
• Server scenario operating system: unknown (closed target machine)

1. The hacker broke into the local server (target machine) through the network, and hung a Trojan link on the home page of the web server. Please find this link and delete it, and submit the corresponding title name as the Flag value;
2. The hacker broke into the local database server, and added a super user with administrator privileges other than admin, and submitted the password of this user as the Flag value;
3. Hackers broke into the local server and created multiple super users on the local server. Please delete other super administrator users except the Administrator user, then enter net user in the command line window, and submit the first word on the right of Administrator as the Flag value ;
4. The hacker modified the startup content of the server, please delete the unnecessary startup item program, and submit the name of the startup item program as the Flag value (if there are multiple names separated by English commas, such as: hello, test);
5. The hacker has stored a Trojan horse program somewhere on the server, please find the Trojan horse program and remove the Trojan horse, and submit the Trojan horse file name as the Flag value.

B-5: Code Audit

Task environment description:

• Server scene: PYsystem002
• Server Scenario OS: Unknown (show link)
• Server username: unknown Password: unknown

1. Access the web page of the target machine server in the infiltration machine Kali Linux, register an account and log in, find the page with the XSS execution vulnerability, and submit the object name with the XSS execution vulnerability in the page as FLAG;
2. Construct Cookie bounce JS script, and submit the objects and methods used in the JS code as FLAG (form: object.method);
3. Restart the web service in the penetration machine Kali Linux, and submit the restart command as FLAG;
4. Use the original XSS vulnerability in the target machine server to call the above JS script, enable port 3333 monitoring in the infiltration machine Kali Linux, and submit the command used to enable port monitoring as FLAG;
5. Enable port 3333 monitoring in the infiltration machine Kali Linux, and submit the first word of the first line of the response received after the port monitoring is enabled as FLAG;
6. Enable port 3333 monitoring in the penetration machine Kali Linux, and submit the last word in the fifth line of the response received after the port monitoring is enabled as FLAG.

B-6: Emergency Response

Task environment description:

• Server scenario: FTPServer220817
• Server scenario operating system: unknown (closed target machine)
• FTP username: log Password: log

1. Download the log file from the FTP of the target machine server, analyze the log file, and submit the IP address used by the hacker to successfully log in to the system as the Flag value;
2. After successfully logging in to the system, the hacker modifies the user name of the logged-in user, and submits the modified user name as the Flag value;
3. After successfully logging in to the system, the hacker successfully accessed a file at a key location, and submitted the file name (the file name does not include the suffix) as the Flag value;
4. The hacker restarted the database service several times after successfully logging in to the system, and submitted the process ID number of the database service after the last restart of the database service as the Flag value;
5. After successfully logging in to the system, the hacker modified the user name of the logged-in user and restarted the system multiple times, and submitted the number of times the hacker used the modified user to restart the system as the Flag value.

(4) Module C CTF Capture the Flag - Attack (300 points)

1. Project and task description:

Suppose you are a network security penetration test engineer of an enterprise, responsible for the security protection of certain servers of the enterprise, in order to better find various problems and vulnerabilities that may exist in the enterprise network. You try to use various attack methods to attack specific target drones, so as to understand the latest attack methods and technologies, and understand the mentality of network hackers, so as to improve your defense strategy.

Please log in to the answering platform using the Google browser on the client side according to the information provided in the "Competition Parameter Table".

2. Operating system environment description:

Guest OS: Windows 10/Windows7

Target server operating system: Linux/Windows

3. Vulnerability description:

1. Vulnerabilities in the server may be conventional or system vulnerabilities;

2. There may be a command injection vulnerability in the website on the target machine server. Players are required to find the relevant vulnerability of command injection and use this vulnerability to obtain certain permissions;

3. There may be a file upload vulnerability on the website on the target machine server. Players are required to find the relevant vulnerability in file upload and use this vulnerability to obtain certain permissions;

4. There may be loopholes in the files contained in the website on the target machine server. Players are required to find the relevant loopholes contained in the files and combine them with other loopholes to obtain certain permissions and elevate their rights;

5. The service provided by the operating system may contain a remote code execution vulnerability, requiring the user to find the remote code execution service and use this vulnerability to obtain system permissions;

6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to obtain system privileges;

7. There may be some system backdoors in the operating system. Players can find the backdoors and use the reserved backdoors to directly obtain system permissions.

4. Matters needing attention:

1. The referee server cannot be attacked. If the attack continues after one warning, the team will be ordered to leave the field;

2. The flag value is the unique identifier of each target machine server, and each target machine server has only one;

3. After hacking into the target machine, the contestants are not allowed to close the port, change the password, restart or shut down the target machine, delete or modify the flag, create unnecessary files and other operations on the target machine;

4. After logging in to the automatic scoring system, submit the flag value of the target machine server and specify the IP address of the target machine server;

5. The arena has target drones with different basic points according to the difficulty. For each target server, the first three teams that get the flag value will add points to the basic points. The total score of each team at this stage is The entry stage score, the specific extra points rules refer to the field scoring standards;

6. There will be no additional time for this session.