2022 National Vocational College Skills Competition Question 10 (Secondary Vocational School Group)
Cybersecurity competition test questions
(Total score 100 points)
Competition description
1. Introduction to competition projects
The "Cyber Security" competition is divided into four modules: A. Infrastructure setup and security reinforcement; B. Cyber security incident response, digital forensic investigation and application security; C. CTF capture the flag - attack; D. CTF capture the flag - defense. According to the actual situation of the competition, the parameters, expressions and environment of the actual questions used in the competition venue may be appropriately modified. The specific situation is subject to the actual competition questions issued. The competition schedule and score weights are shown in Table 1.
Table 1 Competition schedule and score weighting
| Module number | module name | Competition time (hours) | weight |
|---|---|---|---|
| A | Infrastructure setup and security reinforcement | 3 | 20% |
| B | Cybersecurity incident response, digital forensics investigation and application security | 40% | |
| C | CTF Capture the Flag-Attack | 3 | 20% |
| D | CTF Capture the Flag-Defense | 20% | |
| total | 6 | 100% |
2. Matters needing attention in the competition
1. It is prohibited to carry and use mobile storage devices, calculators, communication tools and reference materials during the competition.
2. Please check whether the listed hardware equipment, software list, and material list are complete according to the competition environment provided by the competition, and whether the computer equipment can be used normally.
3. Please read all tasks in each section before doing anything. There may be some correlation between tasks.
4. During the operation, relevant results need to be saved in a timely manner according to the answer requirements. After the competition, all equipment will remain in operation, and the final evaluation will be based on the final results submitted.
5. After the competition is completed, please keep the competition equipment, software and competition questions in your seats. It is prohibited to take all items used in the competition (including test papers, etc.) away from the competition venue.
6. It is prohibited to fill in any marks that are not related to the competition on the submitted materials. If the rules are violated, it will be regarded as 0 points.
Competition content
Module A Infrastructure setup and security reinforcement
(20 points for this module)
1. Project and task description:
Assume that you are a network security engineer of an enterprise. For the enterprise's server system, ensure the normal operation of each service according to task requirements, and comprehensively use user security management and password policies, local security policies, service security configurations, log security audits, and middleware Security configuration, firewall policy and other security strategies to improve the network security defense capabilities of the server system. This module requires screenshots of specific task operations and corresponding text descriptions based on the A module answer template provided at the competition site, written in the form of a word document, and saved in PDF format, with "race number + module A" as the file name. , PDF format documents are the only basis for scoring this module.
2. Server environment description
Windows username: administrator, password: 123456
Linux username: root, password: 123456
3. Specific tasks (the score of each task is based on the electronic answer sheet)
A-1 Task 1: Login security reinforcement (Windows, Linux)
Please make corresponding settings for server Windows and Linux as required to improve server security.
1. Password policy (Windows, Linux)
a. The minimum password length is no less than 13 characters;
b. Password must meet complexity requirements.
2. User security management (Windows)
a. Set to obtain ownership of files or other objects, and assign this permission only to the administrators group;
b. Prohibit ordinary users from using the command prompt;
c. Set not to display the last logged in user name.
A-2 Task 2 Local Security Policy (Windows)
3. Require the user name not to be displayed when logging in;
4. Start prompting users to change their password before expiration 5 days before the password expires;
5. Require any user to press CTRL+ALT+DEL before logging into Windows;
6. Disable anonymous enumeration of SAM accounts and shares;
7. Disable the guest account.
A-3 Task 3 Database Security Policy
8. Run the mysql service safely with the ordinary account mysql, and prohibit mysql from running with administrator account permissions;
9. Delete the default database (test);
10. Change the default mysql administrator user to: SuperRoot;
11. Use mysql's built-in MD5 encryption function to encrypt the password of user user1 as (P@ssw0rd1!).
A-4 Task 4 Log Security Audit (Windows)
12. Enable audit directory service access to Windows systems in the local security policy, and only need to audit failed operations;
13. Enable the audit privilege use of the Windows system in the local security policy. Both successful and failed operations need to be audited;
14. Enable the auditing of Windows system events in the local security policy. Both successful and failed operations need to be audited;
15. Enable the audit account management of the Windows system in the local security policy, and both successful and failed operations will be audited;
16. Enable the audit process tracking of the Windows system in the local security policy, and only failed operations need to be audited.
A-4 Task 4 Traffic Integrity Protection (Windows)
17. Configure HTTP redirection and HTTPS settings for the Web website, and only use the HTTPS protocol to access the website (Windows) (Note: The certificate is issued to test.com and access the Web website through https://www.test.com).
A-6 Task 6 Firewall Strategy (Linux)
18. Set the firewall to allow this machine to forward all data packets except the ICMP protocol;
19. In order to prevent Nmap and other scanning software from detecting key information, set the iptables firewall policy to process traffic on port 80;
20. To defend against denial of service attacks, set the iptables firewall policy to filter incoming traffic, limit the number of incoming packets allowed to 3 per minute, and set the instantaneous traffic to process a maximum of 6 packets at a time (network data exceeding the upper limit The package will be discarded and not processed);
21. Only DNS resolution request packets from the 172.16.0.0/24 LAN segment are allowed to be forwarded.
Module B Cybersecurity Incident Response, Digital Forensics Investigation and Application Security
(40 points for this module, 4 points for each sub-task)
B-1 Task 1: Host Discovery and Information Collection
*Task description: Only the IP address of Server1 can be obtained
1. Conduct a secret FIN scan of the target drone scene through the penetration machine Kali2.0 (using the Nmap tool), and submit the parameters that must be used in the operation command as Flag values;
2. Conduct a secret FIN scan of the target drone scene through the penetration machine Kali2.0 (using the Nmap tool), and submit the port information on the 7th line from bottom to top in the operation display result as a Flag value;
3. Use the penetration machine Kali2.0 to perform an Xmas Tree scan on the target drone scene (using the Nmap tool), and submit the parameters that must be used in the operation command as Flag values;
4. Use the penetration machine Kali2.0 to perform an Xmas Tree scan on the target drone scene (using the Nmap tool), and submit the service name on the 5th line from bottom to top in the operation display result as a Flag value;
5. Use the penetration machine Kali2.0 to scan and penetrate the target machine scenario using SYN packets instead of ACK packets (using the Nmap tool), and submit the operation using the parameters that must be used in the command as Flag values;
6. Use the penetration machine Kali2.0 to scan and penetrate the target machine scenario using SYN packets instead of ACK packets (using the Nmap tool), and use the service status in the 8th line from bottom to top in the operation display result as Flag value submission;
7. Use the penetration machine Kali2.0 to conduct a parallel scanning penetration test of the target machine scenario with two scanning types, ACK and ICMP (using the Nmap tool), and submit the parameters that must be used in the operation command as the Flag value;
8. Use the penetration machine Kali2.0 to conduct a parallel scanning penetration test of the target machine scenario with two scanning types: ACK and ICMP (using the Nmap tool), and use the service name in the third line from the bottom to the top in the display result of this operation as Flag value is submitted.
B-2 Task 2: Windows operating system penetration testing
*Task description: Only the IP address of Server2 can be obtained
1. Use the penetration testing platform Kali on the local PC to perform a system service and version scanning penetration test on the server scenario Server2, and submit the service version information corresponding to the 1433 port in the operation display result as a Flag value (for example, 3.1.4500);
2. Conduct system service and version scanning and penetration testing on the server scenario Server2 through the penetration testing platform Kali on the local PC, and submit the fully qualified domain name of the host of the DNS server as the Flag value;
3. Submit the password of the user with low permissions of the SQL-Server database in the target server (unable to execute command system commands through the database) as a Flag value;
4. Submit the password of the user with higher SQL-Server database permissions in the target server (who can execute system commands through database instructions) as a Flag value;
5. Find the file with the .docx suffix in the 266437 folder in the C:\Windows\system32 folder, and submit the document content as the Flag value;
B-3 Mission Three: Data Analysis Digital Forensics
*Task description: Only the IP address of Server3 can be obtained
1. Use Wireshark to view and analyze the logs.pcapng packet file under the Server3 desktop, find out the ninth file scanned by the malicious user directory by analyzing the packet attack.pcapng, and use the file name as the Flag value (form: [robots .txt]) Submit;
2. Continue to check the packet file logs.pacapng, analyze which ports have been scanned by malicious users, and use all ports as Flag values (form: [port name 1, port name 2, port name 3..., port name n]) Commit from low to high;
3. Continue to check the packet file logs.pacapng to analyze the file name used by the malicious user to read the server, and submit the file name as a Flag value (form: [robots.txt]);
4. Continue to check the packet file logs.pacapng to analyze the path where the malicious user writes the one-sentence Trojan, and submit the path as a Flag value (form: [/root/whoami/]);
5. Continue to check the packet file logs.pacapng to analyze the password used by malicious users to connect to the one-sentence Trojan, and submit the one-sentence password as the Flag value (form: [one-sentence password]);
6. Continue to check the data packet file logs.pacapng to analyze what files the malicious user downloaded, and submit the file name and suffix as the Flag value (form: [file name. suffix name]);
7. Continue to view the data packet file logs.pacapng and submit the contents of the file downloaded by the malicious user as the Flag value (form: [file content]).
B-4 Task 4: Man-in-the-Middle Attack Penetration Test
*Task description: Only the IP address of Server4 can be obtained
*Task description: Only the IP address of Server11 can be obtained
1. The server scenario Server4, which has gained control permission after penetration through the above topic, performs the operation of viewing the local arp cache table, and submits the command used for the operation as a Flag value;
2. The server scenario Server4, which gained control permission after penetration through the above topic, performs the operation of clearing the local arp cache table, and submits the command used for the operation as a Flag value;
3. Conduct man-in-the-middle attack penetration testing on server scenario Server4 and server scenario Server11 through the penetration testing platform Kali on the local PC, turn on the routing and forwarding function of the penetration testing platform Kali, and submit the absolute path of the configuration file as a Flag value;
4. Conduct man-in-the-middle attack penetration testing on the server scenario Server4 and server scenario Server11 through the penetration testing platform Kali on the local PC, and use the arpspoof command to perform arp pollution on the client (Server4) and server (Server11), and this operation must be used The parameters are submitted as Flag values;
5. After the man-in-the-middle penetration attack is successful, the penetration testing platform kali can monitor the login website username and password information submitted by the client (Server4) to the login.php page in the server (Server11), and use Chrome browsing on the Server4 desktop in the server scenario Server, access the Web site http://Linux target machine ip/login.php in the Server11 server scenario, log in directly using the saved username and password, and use the packet capture software wireshark on kali to capture packets and set up wireshark filtering Rules, filter all http request packets whose request method is POST, and submit the filter expression to be used as the Flag value (do not add spaces before and after the == symbol);
6. Analyze the captured POST request package and submit the password of the login website admin user submitted by the client (Server4) to the login.php page in the server (Server11) in the POST request content as the Flag value.
B-5 Task Five: Windows System Security
*Task description: Only the IP address of Server5 can be obtained
1. Use the penetration testing platform Kali on the local PC to perform system service and version scanning penetration testing on the server scenario Server5, and submit the service status information string corresponding to port 21 in the operation display result as a Flag value;
2. Submit the preferred DNS server address as the Flag value;
3. Find Flag1 and submit it as the Flag value;
4. Find Flag2 and submit it as Flag value;
5. Submit the password of the system’s highest authority administrator account as the Flag value.
B-6 Mission Six: Penetration Testing
*Task description: Only the IP address of Server6 can be obtained
1. Use the search command in the MSF tool to search for the MS12020 RDP denial of service attack module, and submit the vulnerability disclosure time in the echo result as the Flag value (for example: 2012-10-16);
2. Call the auxiliary scanning module of the MS12020 RDP denial of service vulnerability in the MSF tool, and submit the command calling this module as a Flag value;
3. Use the set command to set the target IP and detect whether the target machine has vulnerabilities. Run this module and submit the last word in the second to last line in the echo result as the Flag value;
4. Call and run the attack module of the MS12020 RDP denial of service vulnerability in the MSF tool, and submit the last word in the penultimate line of the echo result after running this module as the Flag value;
5. Enter the target machine to close the remote desktop service, and run the attack module of MS12020
RDP denial of service vulnerability again. Run this module and the last of the second to last line in the echo result will be displayed. A word is submitted as a Flag value.
B-7 Task 7: Web Security Application
*Task description: Only the IP address of Server7 can be obtained
1. Use the penetration machine to scan the services running in the target machine and submit the complete HTTP service name as the Flag value;
2. Access the HTTP service of the target machine through the penetration machine (using Firefox browser), the URL is http://target machine IP/rececit/enehevibo.php, obtain the plaintext password through password deciphering, and submit the plaintext password as the Flag value;
3. Access the HTTP service of the target machine through the penetration machine (using Firefox browser), the URL is http://target machine IP/irascence/futuresive.php, obtain the plaintext password through password deciphering, and submit the plaintext password as the Flag value;
4. Access the HTTP service of the target machine through the penetration machine (using Firefox browser), the URL is http://target machine IP/economyia/tortly.php, enter the new page through password deciphering, and use the URL address of the new page as Flag value (form: http://172.16.1.1/page path) is submitted;
5. In the new page, obtain the password by decrypting the page content and submit the password as a Flag value;
6. Access the HTTP service of the target machine through the penetration machine (using Firefox browser), the URL is http://target machine IP/corticory/heseur.php, obtain the password by decrypting the page content, and submit the password as the Flag value.
B-8 Task 8: File MD5 verification
*Task description: Only the IP address of Server8 can be obtained
1. Enter the virtual machine operating system: the /root directory in Server8, find the test.txt file, use the md5sum tool to calculate the md5 value of the file, and submit the string of the command to calculate the md5 of the file as the Flag value;
2. Enter the virtual machine operating system: the /root directory in Server8, find the test.txt file, and use the md5sum verification tool to calculate the md5 value of the file, and add the first string in the calculated md5 value of the file 6 bits are submitted as Flag value;
3. Enter the virtual machine operating system: the /root directory in Server8, change the file name of the test.txt file to txt.txt, and then use the md5sum tool to calculate the md5 value of the txt.txt file, and calculate the md5 value of the file. The result of subtracting the first 5 digits in the string of md5 value and the first 5 digits in the string of md5 value in the previous test.txt file is submitted as a Flag value;
4. Enter the virtual machine operating system: Server8, use the md5sum tool to calculate the md5 value of the /etc/passwd file, import the changed md5 value into the passwd.md5 file, and submit the command string as the Flag value;
5. Enter the virtual machine operating system: Server8, create a new user with the user name user6 and the password 123456. Calculate the md5 value of /etc/passwd again and compare the value with the value in the passwd.md5 file, and add the first three digits in the string of the md5 value of the /etc/passwd file after adding the user and the value before /etc The result of subtracting the first three digits in the string of the md5 value of the /passwd file is submitted as the Flag value.
B-9 mission nine: PE Reverse
*Task description: Only the IP address of Server9 can be obtained
1. Perform static debugging on the PE01.exe binary file on the desktop of the target server scene, and submit the entry address of the main function as the Flag value;
2. Perform static debugging on the PE01.exe binary file on the desktop of the target server scene, and submit the key functions for checking the license in the binary file as Flag values;
3. Perform static debugging on the PE01.exe binary file on the desktop of the target server scene, find the Flag1 value and submit it;
4. Perform static debugging on the PE01.exe binary file on the desktop of the target server scene, try to crack the binary file, and submit the echo information after successful registration as the Flag value;
5. Perform static debugging on the PE01.exe binary file on the desktop of the target server scene, and submit the license code required for activation as the Flag value;
B-10 Mission 10: Emergency Response
*Task description: Only the IP address of Server10 can be obtained
1. Hackers invaded the local server through the network and plugged a Trojan horse connection on the homepage of the Web server. Please find this connection, delete it, and submit the corresponding title name as the Flag value;
2. A hacker breaks into the local database server, adds a super user with administrator rights other than admin, and submits this user's password as a Flag value;
3. Hackers have invaded the local server and created multiple super users on the local server. Please delete other super administrator users except Administrator user, then enter net user in the command line window, and set the first word to the right of Administrator as Flag. value submission;
4. Hackers have modified the startup content of the server. Please delete unnecessary startup programs and submit the name of the startup program as the Flag value (if there are multiple names separated by English commas, such as: hello, test) ;
5. The hacker has stored a Trojan horse program somewhere on the server. Please find this Trojan horse program, remove the Trojan horse program, and submit the Trojan horse file name as the Flag value.
Module C CTF Capture the Flag-Attack
(20 points for this module)
1. Project and task description:
Suppose you are a network security penetration testing engineer of a certain company, responsible for the security protection of certain servers of the company, in order to better find various problems and vulnerabilities that may exist in the corporate network. You try to use various attack methods to attack specific targets in order to understand the latest attack methods and technologies, understand the mentality of network hackers, and improve your defense strategies.
Please use Google Chrome on the client to log in to the attack machine based on the information provided in the "Field Parameter Table".
2. Operating system environment description:
Guest operating system: Windows 10
Attack machine operating system: Kali Linux 2019 version
Target server operating system: Linux/Windows
3. Description of the vulnerability:
1. Vulnerabilities in the server may be regular vulnerabilities or system vulnerabilities;
2. The website on the target server may have command injection vulnerabilities. Players are required to find command injection-related vulnerabilities and use this vulnerability to obtain certain permissions;
3. The website on the target machine server may have a file upload vulnerability. Players are required to find the relevant vulnerability for file upload and use this vulnerability to obtain certain permissions;
4. There may be file inclusion vulnerabilities in the website on the target server. Players are required to find the relevant vulnerabilities contained in the files and combine them with other vulnerabilities to obtain certain permissions and escalate them;
5. The services provided by the operating system may contain remote code execution vulnerabilities, requiring users to find remote code execution services and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to gain system permissions;
7. There may be some system backdoors in the operating system. Players can find these backdoors and use the reserved backdoors to directly obtain system permissions.
4. Things to note:
1. You cannot attack the referee server. If you continue to attack after a warning, the participating team will be ordered to leave the field;
2. The Flag value is the unique identifier of each target server, and each target server has only one;
3. After hacking into the target machine, players are not allowed to close the port, change the password, restart or shut down the target machine, delete or modify the Flag, create unnecessary files, etc.;
4. After logging into the automatic scoring system, submit the Flag value of the target server and specify the IP address of the target server;
5. The competition venue is equipped with target drones with different basic scores according to different difficulties. For each target drone server, the first three participating teams to obtain Flag values will receive additional points on top of the basic scores. The total score of each team at this stage will be calculated. Entering stage points, specific extra point rules refer to the competition scoring standards;
6. No additional time will be allowed in this session.
Module D CTF Capture the Flag-Defense
(20 points for this module)
1. Project and task description:
It is assumed that each contestant is a network security engineer of a security company and is responsible for penetration testing and security protection of several servers. These servers may have various problems and vulnerabilities. You need to perform penetration testing and security protection on these servers as soon as possible. Each participating team has its own bastion server, which cannot be accessed by other teams. Contestants use scanning, penetration testing and other means to detect security flaws in their fortress servers and perform targeted reinforcements to improve the security defense performance of the system.
Each player implements system defense by following steps such as discovering points that need reinforcement, implementing reinforcement, and testing the effectiveness of reinforcement. After completing the protection work, each team of players needs to prepare a system defense implementation report by themselves in the form of necessary text descriptions of the implementation steps and screenshots of key processes or key operation results. The implementation report is written in the form of a word document and saved in PDF format, with "race number + module D" as the file name. The PDF format document is the only basis for scoring this module.
Each player implements system defense by following steps such as discovering points that need reinforcement, implementing reinforcement, and testing the effectiveness of reinforcement. After completing the protection work, each team of players needs to prepare a system defense implementation report by themselves in the form of screenshots of key processes or key operation results according to the implementation steps. The implementation report is written in the form of a word document and saved in PDF format, with "race number + module D" as the file name. The PDF format document is the only basis for scoring this module.
Please use Google Chrome on the client to log in to the fortress server that needs to be reinforced based on the information provided in the "Game Parameter Table".
2. Operating system environment description:
Guest operating system: Windows 10
Attack machine operating system: Kali Linux 2019 version
Bastion server operating system: Linux/Windows
3. Description of the vulnerability:
1. Vulnerabilities in the bastion server may be regular vulnerabilities or system vulnerabilities;
2. The website on the bastion server may have command injection vulnerabilities. Players are required to find command injection-related vulnerabilities and use this vulnerability to obtain certain permissions;
3. The website on the bastion server may have file upload vulnerabilities. Players are required to find the relevant file upload vulnerabilities and use this vulnerability to obtain certain permissions;
4. The website on the bastion server may have file inclusion vulnerabilities. Players are required to find the relevant vulnerabilities contained in the files and combine them with other vulnerabilities to obtain certain permissions and escalate them;
5. The services provided by the operating system may contain remote code execution vulnerabilities, requiring users to find remote code execution services and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to gain system permissions;
7. There may be some system backdoors in the operating system. Players can find these backdoors and use the reserved backdoors to directly obtain system permissions.
4. Things to note:
1. When strengthening the system, it is necessary to ensure the availability of external services provided by the bastion server;
2. You cannot attack the referee server. If you continue to attack after a warning, the participating team will be ordered to leave the field;
3. No additional time will be allowed in this session.