National Vocational College Skills Competition
Higher Vocational Education Group
Information Security Management and Evaluation
mission statement
module two
Cybersecurity Incident Response , Digital Forensics Investigation , Application Security
- Game time and precautions
The duration of this stage is 180 minutes, from 13:30 to 16:30.
【Precautions】
- The game is over, do not shut down;
- Contestants first need to create a folder named "AGWxx" in the root directory of the USB flash drive (xx is replaced by a specific station number), please fill in the "Information Security Management and Evaluation Competition Answer Sheet" completed in the second stage of the competition question -Module 2" answer document, placed in the "AGWxx" folder.
For example: for station 08, you need to create an "AGW08" folder in the root directory of the U disk, and please place the answer document of the " Information Security Management and Evaluation Competition Answer Sheet-Module 2 " completed in the second stage in "AGW08" folder .
- Please do not modify the configuration of the physical machine and the hardware parameters of the virtual machine itself.
- Required hardware and software equipment and materials
All test items can be completed by competitors with the equipment and software specified in the infrastructure list.
- Grading scheme
The total score for this stage is 300 points.
- Project and Task Description
With the continuous development of network and informatization level, network security incidents are also emerging one after another. Various network attacks such as network malicious code transmission, information theft, information tampering, and remote control have seriously threatened the confidentiality, integrity and availability of information systems. . Therefore, technical work such as combating network attacks, organizing emergency response to security incidents, and collecting electronic evidence is an important part of network security protection. Now, Group A has suffered an illegal malicious attack from an unknown organization. Your team needs to help Group A trace the source of this network attack, analyze the evidence clues of malicious attacks, and find out the vulnerabilities or malicious codes in the operating system and applications. Help it consolidate its network security defenses.
This module is mainly divided into the following three parts:
- Cyber Security Incident Response
- Digital Forensics Investigation
- application security
- work tasks
Part I Cyber Security Incident Response
Task 1: CentOS Server Emergency Response (70 points)
The application server of Group A was hacked, the web application system of the server was uploaded with malware, and the system files were damaged by malware. Your team needs to help the company trace the source of this network attack and conduct a comprehensive inspection on the server, including Log information, process information, system files, malicious files, etc., so as to analyze hacker attacks, discover loopholes in the system, and repair the discovered loopholes.
List of materials for this task : CentOS server virtual machine .
The attacked Server has been packaged as a virtual machine file and saved, please import and analyze by yourself.
Username: root
Password : nanyidian..
Please complete the tasks of this part as required.
| Task 1: CentOS Server Emergency Response |
||
| serial number |
task content |
Answer |
| 1 |
Please submit your webmaster username and password |
|
| 2 |
The attacker modified a file through the background of the application to obtain server permissions, please submit the file name of the file |
|
| 3 |
After the attacker tampers with the file, he can execute any unauthorized command through the official website of the website. Please submit the payload that uses the Trojan horse to execute phpinfo, for example: /shell.php?cmd=phpinfo(); |
|
| 4 |
The anti-killing webshell left by the attacker is on the website, please submit the original text of the shell in the simplest form, for example: <?php ...?> |
|
| 5 |
The attacker modified a certain file, causing the webshell to be automatically generated after deletion, please submit the absolute path of the file |
|
| 6 |
Please submit the database account and password used by the website service to connect to the database |
|
| 7 |
Please submit the information left by the attacker in the database, the format is: flag{...} |
|
Part II Digital Forensics Investigation
Task 2 : Windows-based memory forensics (40 points)
A server system of Group A was infected with a malicious program, resulting in the destruction of key system files. Please analyze the system image and memory image provided by Group A to find the malware in the system image and analyze the behavior of the malware.
Material list for this task : memory image (*.raw).
| Task 2 : Windows-based memory forensics |
||
| serial number |
task content |
Answer |
| 1 |
Please indicate the suspected malicious process in memory |
|
| 2 |
Please indicate the password of the company's OA platform used by the employee |
|
| 3 |
The hacker passed in a Trojan horse file and maintained the permissions. What is the name of the Trojan horse file? |
|
| 4 |
Please submit the home address of a significant contact on record on this computer |
|
Please complete the tasks of this part as required.
Task 3 : Communication data analysis and forensics (50 points)
Group A's network security monitoring system discovered that malicious actors were carrying out Advanced Persistent Attacks (APT) and captured some suspicious traffic packets. Based on the captured traffic packets, please search for network attack clues, decompose hidden malicious programs, and analyze the behavior of malicious programs.
List of materials for this task : captured communication data files.
Please complete the tasks of this part as required.
| Task 3 : Communication data analysis and forensics |
||
| serial number |
task content |
Answer |
| 1 |
Please submit the executable malicious program file name transmitted in the network packet |
|
| 2 |
Please submit the IP and port of the malware download payload |
|
| 3 |
Please submit the local file name (including path) read by the malicious program payload |
|
| 4 |
Please submit the contents of a local file read by malicious programs |
|
Task 4 : Based on Linux computer stand-alone forensics (60 points)
Analyze a given forensic image file and search for evidence keywords (clue keywords are "evidence 1", "evidence 2", ..., "evidence 10", in text form or image form, not case-sensitive), please Extract and fix the target evidence files required by the competition, and fill in the relevant information according to the format requirements of the sample. Evidence files account for no less than 15% of the total number of files. Forensic information may be hidden in normal, deleted or damaged files, and you may need to use transcoding techniques, encryption and decryption techniques, steganographic techniques, data recovery techniques, and familiarity with commonly used file formats (such as office documents , compressed documents, pictures, etc.).
List of materials for this task : forensics image file.
Please complete the tasks of this part as required.
| Task 4 : Based on Linux computer stand-alone forensics |
||
| evidence number |
Filenames in the forensic image |
Hash code of the original file in the image (MD5, case insensitive) |
| evidence 1 |
||
| evidence 2 |
||
| evidence 3 |
||
| evidence 4 |
||
| evidence 5 |
||
| evidence 6 |
||
| evidence 7 |
||
| evidence 8 |
||
| evidence 9 |
||
| evidence 10 |
||
Part III Application Security
Task 5 : Android malware analysis (50 points)
Group A found that the Android mobile application files released by it have been illegally tampered with. Your team needs to assist Group A to conduct reverse analysis of the malicious program sample, investigate and collect evidence for its attack/destruction behavior.
Material list for this task : Android mobile application files.
Please complete the tasks of this part as required.
| Task 5 : Android malware analysis |
||
| serial number |
task content |
Answer |
| 1 |
The url address of the data returned by the malicious application in the submitted material |
|
| 2 |
提交素材中的恶意代码保存数据文件名称(含路径) |
|
| 3 |
提交素材中的恶意行为发起的dex的SHA1签名值 |
|
| 4 |
描述素材中恶意代码的行为 |
|
任务6:C代码审计(30分)
代码审计是指对源代码进行检查,寻找代码存在的脆弱性,这是一项需要多方面技能的技术。作为一项软件安全检查工作,代码安全审查是非常重要的一部分,因为大部分代码从语法和语义上来说是正确的,但存在着可能被利用的安全漏洞,你必须依赖你的知识和经验来完成这项工作。
本任务素材清单:C源代码文件。
请按要求完成该部分的工作任务。
| 任务6:C代码审计 |
||
| 序号 |
任务内容 |
答案 |
| 1 |
请指出本段代码存在什么漏洞 |
|
| 2 |
请指出存在漏洞的函数名称,例如:scanf |
|