Question 8 of the 2022 National Vocational College Skills Competition (Secondary Vocational School Group)
Cybersecurity competition test questions
(Total score 100 points)
Competition description
1. Introduction to competition projects
The "Cyber Security" competition is divided into four modules: A. Infrastructure setup and security reinforcement; B. Cyber security incident response, digital forensic investigation and application security; C. CTF capture the flag - attack; D. CTF capture the flag - defense. According to the actual situation of the competition, the parameters, expressions and environment of the actual questions used in the competition venue may be appropriately modified. The specific situation is subject to the actual competition questions issued. The competition schedule and score weights are shown in Table 1.
Table 1 Competition schedule and score weighting
| Module number | module name | Competition time (hours) | weight |
|---|---|---|---|
| A | Infrastructure setup and security reinforcement | 3 | 20% |
| B | Cybersecurity incident response, digital forensics investigation and application security | 40% | |
| C | CTF Capture the Flag-Attack | 3 | 20% |
| D | CTF Capture the Flag-Defense | 20% | |
| total | 6 | 100% |
2. Matters needing attention in the competition
1. It is prohibited to carry and use mobile storage devices, calculators, communication tools and reference materials during the competition.
2. Please check whether the listed hardware equipment, software list, and material list are complete according to the competition environment provided by the competition, and whether the computer equipment can be used normally.
3. Please read all tasks in each section before doing anything. There may be some correlation between tasks.
4. During the operation, relevant results need to be saved in a timely manner according to the answer requirements. After the competition, all equipment will remain in operation, and the final evaluation will be based on the final results submitted.
5. After the competition is completed, please keep the competition equipment, software and competition questions in your seats. It is prohibited to take all items used in the competition (including test papers, etc.) away from the competition venue.
6. It is prohibited to fill in any marks that are not related to the competition on the submitted materials. If the rules are violated, it will be regarded as 0 points.
Competition content
Module A Infrastructure setup and security reinforcement
(20 points for this module)
1. Project and task description:
Assume that you are a network security engineer of an enterprise. For the enterprise's server system, ensure the normal operation of each service according to task requirements, and comprehensively use login and password policies, log security policies, middleware service security policies, traffic integrity policies, and firewalls. policy, WEB security policy and other security strategies to improve the network security defense capabilities of the server system. This module requires screenshots of specific task operations and corresponding text descriptions based on the A module answer template provided at the competition site, written in the form of a word document, and saved in PDF format, with "race number + module A" as the file name. , PDF format documents are the only basis for scoring this module.
2. Server environment description
Windows username: administrator, password: 123456
Linux username: root, password: 123456
3. Specific tasks (the score of each task is based on the electronic answer sheet)
A-1 Task 1: Login security reinforcement (Windows, Linux)
1. Password policy (Windows, linux)
a. The minimum password length is no less than 8 characters;
b. The password policy must satisfy both uppercase and lowercase letters, numbers, and special characters.
2. Login strategy (Windows, linux)
a. When users log in to the system, there should be a "For authorized users only" prompt message;
b. Only 5 failed login attempts are allowed within one minute. If more than 5 attempts are made, the login account will be locked for 1 minute;
c. The remote user inactive session connection timeout should be less than or equal to 5 minutes.
3. User security management (Windows)
a. Perform remote management security SSL reinforcement on the server to prevent sensitive information from being leaked and monitored;
b. Find and delete account hackers that may exist in the server;
c. Ordinary users perform minimum rights management, and only administrator accounts can shut down the system.
A-3 Task Three Traffic Integrity
4. Configure HTTP redirection and HTTPS settings for the Web website, and only use the HTTPS protocol to access the website (Windows) (Note: The certificate is issued to test.com and access the Web website through https://www.test.com).
A-3 Task 3 Log Security Audit (Windows)
5. Enable audit directory service access to the Windows system in the local security policy, and only need to audit failed operations;
6. Enable the audit privilege use of the Windows system in the local security policy. Both successful and failed operations need to be audited;
7. Enable the auditing of Windows system events in the local security policy. Both successful and failed operations need to be audited.
A-4 Task 4 Traffic Integrity Protection (Windows)
8. Configure HTTP redirection and HTTPS settings for the Web website, and only use the HTTPS protocol to access the website (Windows) (Note: The certificate is issued to test.com and access the Web website through https://www.test.com).
A-5 Task 5 Firewall Strategy
9. Disable port 445 in Windows system;
10. Port 23 is disabled on Windows systems;
11.Linux system uses iptables to disable port 23;
12.Linux system uses iptables to prevent others from pinging.
A-2 Task 2 Nginx Security Strategy (Linux)
13. Disable directory browsing and hide server version and information display;
14. Restrict HTTP request methods to only allow GET, HEAD, and POST;
15. Set the client request body read timeout to 10;
16.Set the client request header reading timeout to 10;
17. Downgrade the Nginx service and use the www user to start the service.
Module B Cybersecurity Incident Response, Digital Forensics Investigation and Application Security
(40 points for this module, 4 points for each sub-task)
B-1 Task 1: Host Discovery and Information Collection
*Task description: Only the IP address of Server1 can be obtained
1. Perform TCP synchronous scanning of the target drone scene through the penetration machine Kali2.0 (using the Nmap tool), and submit the parameters that must be used in the operation command as Flag values;
2. Use the penetration machine Kali2.0 to perform a TCP synchronous scan of the target drone scene (using the Nmap tool), and submit the server information in the fourth line from bottom to top in the operation display result as a Flag value;
3. Use the penetration machine Kali2.0 to scan the target machine scene without pinging the host (using the Nmap tool), and submit the parameters that must be used in the operation command as the Flag value;
4. Use the penetration machine Kali2.0 to scan the target drone scene without pinging the host (using the Nmap tool), and submit the number after ":" in the 10th line from bottom to top in the operation display result as the Flag value;
5. Use the penetration machine Kali2.0 to perform a UDP scanning penetration test on the target machine scenario. Only scan ports 53 and 111 (using the Nmap tool), and submit the status information of port 111 in the operation display result as a Flag value;
6. Use the penetration machine Kali2.0 to perform a sliding window scanning penetration test on the target machine scene (using the Nmap tool), and submit the parameters that must be used in the command used for this operation as Flag values;
7. Use the penetration machine Kali2.0 to perform RPC scanning and penetration testing on the target machine scene (using the Nmap tool), and submit the parameters that must be used in the operation command as Flag values;
8. Use the penetration machine Kali2.0 to perform an RPC scanning penetration test on the target machine scene (using the Nmap tool), and submit the service information on the 7th line from bottom to top in the display results of this operation as a Flag value.
B-2 Task 2: FTP Weak Password Penetration Test
*Task description: Only the IP address of Server2 can be obtained
1. Use the Zenmap tool in the penetration machine Kali2.0 to scan the surviving host IP addresses and designated open ports 21, 22, and 23 within the network segment where Server2 is located in the server scenario (for example: 172.16.101.0/24). And submit the string that must be added to the command used for this operation as the Flag value (ignoring the IP address);
2. Use the penetration machine Kali2.0 to perform a system service and version scanning penetration test on the server scenario Server2, and submit the service port information corresponding to the FTP service in the operation display result as a Flag value;
3. Use the MSF module in the penetration machine Kali2.0 to blast it, use the search command, and submit the name information of the scanned weak password module as the Flag value;
4. Based on the previous question, use the command to call the module and view the information that needs to be configured (use the show options command). The target address that needs to be configured, the password guessing dictionary, thread, and account configuration parameters will be displayed in the echo. The fields are submitted as Flag values (separated by English commas, such as hello, test,...,...);
5. Configure the target IP address in the msf module, and submit the first two words in the configuration command as Flag values;
6. Specify the password dictionary in the msf module, the dictionary path is /root/2.txt, the user name is test, blast the password and submit the obtained password as the Flag value;
7. Based on the previous question, use the password obtained in question 6 to log in to the ftp service, and submit the English words in the image file with Flag value 2.bmp in the directory as the Flag value.
B-3 Mission Three: PE Reverse
*Task description: Only the IP address of Server3 can be obtained
1. Perform static debugging on the PE01.exe binary file on the desktop of the target server scene, and submit the entry address of the main function as the Flag value;
2. Perform static debugging on the PE01.exe binary file on the desktop of the target server scene, and submit the key functions for checking the license in the binary file as Flag values;
3. Perform static debugging on the PE01.exe binary file on the desktop of the target server scene, find the Flag1 value and submit it;
4. Perform static debugging on the PE01.exe binary file on the desktop of the target server scene, try to crack the binary file, and submit the echo information after successful registration as the Flag value;
5. Perform static debugging on the PE01.exe binary file on the desktop of the target server scene, and submit the license code required for activation as the Flag value;
B-4 Task 4: MYSQL security testing
*Task description: Only the IP address of Server4 can be obtained
1. Use the tool in the penetration machine scenario kali to determine the MySQL port, and submit the MySQL port as a Flag value;
2. The administrator logged into the database through the web interface and executed select '<?php echo \'<pre>\';system($_GET[\'cmd\']); echo \'</pre> ;\'; ?>' INTO OUTFILE 'C:/phpstudy/test1.php' statement, combined with this execution statement, use the dos command to view the detailed configuration information of the server, and submit the server's system model as the Flag value;
3. Use the msf tool in the penetration machine scenario kali to use the password.txt dictionary file in the root directory to crack the MySQL password, and submit the modules required to crack the MySQL password as the Flag value (the account is root);
4. Use the msf tool in the penetration machine scenario kali to use the password.txt dictionary file in the root directory to crack the MySQL password, and submit the MySQL password as the Flag value (the account is root);
5. Use the database account password in the above question to log in to the database, and select '<?php @eval($_POST[admin]);?>'************ ' ;C:/phpstudy/shell.php' statement submits a one-sentence Trojan named shell.php to the server, and submits the plain text with * in the statement as the Flag value (* is a capital letter or space);
6. Use a kitchen knife to connect to the shell.php in the above question, download the compressed package in the root directory of the server, and submit the Flag value in the compressed package.
B-5 Task Five: Traffic Analysis
*Task description: Only the IP address of Server5 can be obtained
1. Access the target machine through Kali at http://xxx.xxx.xxx.xxx:8081 (xxx.xxx.xxx.xxx is the IP address of the target machine, for example, 172.16.101.1:8081) to download the file and obtain the traffic package. Decompress the traffic package, obtain the file name in the traffic package and submit it as a Flag value (form: file name.file type);
2. Use wireshark in Kali to analyze the traffic packets downloaded from the server scenario Server5, use the filter expression in HTTP mode to filter the traffic packets of the HTTP GET method, and submit the filter expression command as a Flag value;
3. Analyze the filtered traffic packet based on the echo information in step 2, find the IP address of the Flag value file traffic, and identify the request source of the HTTP traffic packet (the traffic packet downloaded in step 1) that contains the Flag value information. ip is submitted as Flag value;
4. Use wireshark in the penetration testing platform Kali to find the target information file from the IP packet in the traffic packet containing the Flag value information, and submit the file name as the Flag value (form: file name.file type);
5. Use wireshark to analyze the downloaded traffic packet in the penetration testing platform Kali, find out the response IP and response content from the GET/POST request traffic containing Flag value information, and add the response IP of the Flag value request (in the traffic packet IP) is submitted as Flag value;
6. Use the wireshark tool to analyze the data content in the response traffic packet (the response traffic packet corresponding to the Flag value request in step 5), and use the file name in the response data as the Flag value (form: file name.file type) submit;
7. Use the wireshark tool to extract the content in the traffic packet (that is, the file content in the response traffic packet in step 6), and use the shortcut key of the wireshark function that must be used for the extraction operation as the Flag value (xx+xx is the Flag value submission format , such as ctrl+alt+F4) submit;
8. Decompress the file extracted in step 7, and submit the first line of the decompressed file content as the Flag value.
B-6 Task Six: Windows System Security
*Task description: Only the IP address of Server6 can be obtained
1. Use the penetration testing platform Kali on the local PC to perform system service and version scanning penetration testing on the server scenario Server6, and submit the service status information string corresponding to port 21 in the operation display result as a Flag value;
2. Submit the preferred DNS server address as the Flag value;
3. Find Flag1 and submit it as the Flag value;
4. Find Flag2 and submit it as Flag value;
5. Submit the password of the system’s highest authority administrator account as the Flag value.
B-7 Task 7: Telnet Weak Password Penetration Test
*Task description: Only the IP address of Server7 can be obtained
1. Use the Zenmap tool in the penetration machine Kali2.0 to scan the surviving host IP addresses and specified open ports 21, 22, and 23 within the network segment of the server scenario Server7 (for example: 172.16.101.0/24), and perform the operation The string that must be added to the command used is submitted as a Flag value (ignoring the IP address);
2. Use the penetration machine Kali2.0 to perform a system service and version scanning penetration test on the server scenario Server7, and submit the service port information corresponding to the TELNET service in the operation display result as a Flag value;
3. Use the MSF module in the penetration machine Kali2.0 to blast it, use the search command, and submit the name information of the scanned weak password module as the Flag value;
4. Based on the previous question, use the command to call the module and view the information that needs to be configured (use the show options command). The target address that needs to be configured, the password guessing dictionary, thread, and account configuration parameters will be displayed in the echo. The fields are submitted as Flag values (fields are separated by English commas, such as hello, test,...,...);
5. Configure the target IP address in the msf module, and submit the first two words in the configuration command as Flag values;
6. Specify the password dictionary in the msf module, the dictionary path is /root/2.txt, the user name is user, blast the password and submit the obtained password as the Flag value;
7. Based on the previous question, use the password obtained in question 6 to telnet to the target machine, and submit the English words in the Flag value.bmp picture file on the desktop as the Flag value.
B-8 mission eight: Penetration testing
*Task description: Only the IP address of Server8 can be obtained
1. Use the penetration testing platform Kali on the local PC to perform system service and version scanning and penetration testing on the target machine scenario Server8, and output information to the specified file in xml format (use the tool Nmap). Information will be output to the specified file in xml format and must be used. The parameters are submitted as Flag values;
2. In the penetration testing platform Kali of the local PC, use the command to initialize the MSF database and submit this command as the Flag value;
3. In the penetration testing platform Kali on the local PC, open MSF, use db_import to import the scan results into the database, view the imported data, and submit the command to be used to view the data as the Flag value;
4. Use the search command in the MSF tool to search for the MS17010 vulnerability exploitation module, and submit the vulnerability disclosure time in the echo results as the flag value (for example: 2017-10-16);
5. Call the MS17010 vulnerability attack module in the MSF tool, detect whether the target machine has a vulnerability, and submit the last word in the echo result as the Flag value.
B-9 Mission 9: Application of Steganography
*Task description: Only the IP address of Server9 can be obtained
1. Find the files in folder 1 and submit the hidden information in the files as Flag values;
2. Find the files in folder 2 and submit the hidden information in the files as Flag values;
3. Find the files in folder 3 and submit the hidden information in the files as Flag values;
4. Find the files in folder 4 and submit the hidden information in the files as Flag values;
5. Find the files in folder 5 and submit the hidden information in the files as Flag values.
B-10 Task 10: Wireshark packet analysis
*Task description: Only the IP address of Server10 can be obtained
1. Use Wireshark to view and analyze the capture4.pcap data package file under the Server10 desktop, find out the account password obtained by the hacker that can successfully log in to the target server FTP, and use the account password obtained by the hacker as the Flag value (user name and password Separate them with English commas, for example: root,toor) submit;
2. Continue to analyze the data packet capture4.pcap, find out the time when the hacker used the obtained account and password to log in to FTP, and submit the time when the hacker logged in to FTP as a Flag value (for example: 14:22:08);
3. Continue to analyze the data packet capture4.pcap, find out the FTP service version number obtained by the hacker when connecting to the FTP server, and submit the obtained FTP service version number as the Flag value;
4. Continue to analyze the data packet capture4.pcap, find out the first command executed by the hacker after successfully logging into the FTP server, and submit the executed command as a Flag value;
5. Continue to analyze the data packet capture4.pcap, find out the key files downloaded by the hacker after successfully logging into the FTP server, and submit the downloaded file name as the Flag value;
6. Continue to analyze the data packet capture4.pcap to find out the user name and password that the hacker brute force cracked the target server Telnet service and successfully obtained, and use the obtained user name and password as the Flag value (the user name and password are separated by English Comma separated, for example: root,toor) commit;
7. Continue to analyze the data packet capture4.pcap, find out the file added by the hacker in the root directory of the server website, and submit the file name as the Flag value;
8. Continue to analyze the data packet capture4.pcap, find out the user added by the hacker in the server system, and use the added user name and password as the Flag value (the user name and password are separated by English commas, for example: root, toor) submit.
Module C CTF Capture the Flag-Attack
(20 points for this module)
1. Project and task description:
Suppose you are a network security penetration testing engineer of a certain company, responsible for the security protection of certain servers of the company, in order to better find various problems and vulnerabilities that may exist in the corporate network. You try to use various attack methods to attack specific targets in order to understand the latest attack methods and technologies, understand the mentality of network hackers, and improve your defense strategies.
Please use Google Chrome on the client to log in to the attack machine based on the information provided in the "Field Parameter Table".
2. Operating system environment description:
Guest operating system: Windows 10
Attack machine operating system: Kali Linux
Target server operating system: Linux/Windows
3. Description of the vulnerability:
1. Vulnerabilities in the server may be regular vulnerabilities or system vulnerabilities;
2. The website on the target server may have command injection vulnerabilities. Players are required to find command injection-related vulnerabilities and use this vulnerability to obtain certain permissions;
3. The website on the target machine server may have a file upload vulnerability. Players are required to find the relevant vulnerability for file upload and use this vulnerability to obtain certain permissions;
4. There may be file inclusion vulnerabilities in the website on the target server. Players are required to find the relevant vulnerabilities contained in the files and combine them with other vulnerabilities to obtain certain permissions and escalate them;
5. The services provided by the operating system may contain remote code execution vulnerabilities, requiring users to find remote code execution services and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to gain system permissions;
7. There may be some system backdoors in the operating system. Players can find these backdoors and use the reserved backdoors to directly obtain system permissions.
4. Things to note:
1. You cannot attack the referee server. If you continue to attack after a warning, the participating team will be ordered to leave the field;
2. The Flag value is the unique identifier of each target server, and each target server has only one;
3. After hacking into the target machine, players are not allowed to close the port, change the password, restart or shut down the target machine, delete or modify the Flag, create unnecessary files, etc.;
4. After logging into the automatic scoring system, submit the Flag value of the target server and specify the IP address of the target server;
5. The competition venue is equipped with target drones with different basic scores according to different difficulties. For each target drone server, the first three participating teams to obtain Flag values will receive additional points on top of the basic scores. The total score of each team at this stage will be calculated. Entering stage points, specific extra point rules refer to the competition scoring standards;
6. No additional time will be allowed in this session.
Module D CTF Capture the Flag-Defense
(20 points for this module)
1. Project and task description:
It is assumed that each contestant is a network security engineer of a security company and is responsible for penetration testing and security protection of several servers. These servers may have various problems and vulnerabilities. You need to perform penetration testing and security protection on these servers as soon as possible. Each participating team has its own bastion server, which cannot be accessed by other teams. Contestants use scanning, penetration testing and other means to detect security flaws in their fortress servers and perform targeted reinforcements to improve the security defense performance of the system.
Each player implements system defense by following steps such as discovering points that need reinforcement, implementing reinforcement, and testing the effectiveness of reinforcement. After completing the protection work, each team of players needs to prepare a system defense implementation report by themselves in the form of necessary text descriptions of the implementation steps and screenshots of key processes or key operation results. The implementation report is written in the form of a word document and saved in PDF format, with "race number + module D" as the file name. The PDF format document is the only basis for scoring this module.
Please use Google Chrome on the client to log in to the fortress server that needs to be reinforced based on the information provided in the "Game Parameter Table".
2. Operating system environment description:
Guest operating system: Windows 10
Attack machine operating system: Kali Linux
Bastion server operating system: Linux/Windows
3. Description of the vulnerability:
1. Vulnerabilities in the bastion server may be regular vulnerabilities or system vulnerabilities;
2. The website on the bastion server may have command injection vulnerabilities. Players are required to find command injection-related vulnerabilities and use this vulnerability to obtain certain permissions;
3. The website on the bastion server may have file upload vulnerabilities. Players are required to find the relevant file upload vulnerabilities and use this vulnerability to obtain certain permissions;
4. The website on the bastion server may have file inclusion vulnerabilities. Players are required to find the relevant vulnerabilities contained in the files and combine them with other vulnerabilities to obtain certain permissions and escalate them;
5. The services provided by the operating system may contain remote code execution vulnerabilities, requiring users to find remote code execution services and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to gain system permissions;
7. There may be some system backdoors in the operating system. Players can find these backdoors and use the reserved backdoors to directly obtain system permissions.
4. Things to note:
1. When strengthening the system, it is necessary to ensure the availability of external services provided by the bastion server;
2. You cannot attack the referee server. If you continue to attack after a warning, the participating team will be ordered to leave the field;
3. No additional time will be allowed in this session.