2022 National Vocational College Skills Competition (Secondary Vocational School Group) Question 5
Cybersecurity competition test questions
(Total score 100 points)
Competition description
1. Introduction to competition projects
The "Cyber Security" competition is divided into four modules: A. Infrastructure setup and security reinforcement; B. Cyber security incident response, digital forensic investigation and application security; C. CTF capture the flag - attack; D. CTF capture the flag - defense. According to the actual situation of the competition, the parameters, expressions and environment of the actual questions used in the competition venue may be appropriately modified. The specific situation is subject to the actual competition questions issued. The competition schedule and score weights are shown in Table 1.
Table 1 Competition schedule and score weighting
| Module number | module name | Competition time (hours) | weight |
|---|---|---|---|
| A | Infrastructure setup and security reinforcement | 3 | 20% |
| B | Cybersecurity incident response, digital forensics investigation and application security | 40% | |
| C | CTF Capture the Flag-Attack | 3 | 20% |
| D | CTF Capture the Flag-Defense | 20% | |
| total | 6 | 100% |
2. Matters needing attention in the competition
1. It is prohibited to carry and use mobile storage devices, calculators, communication tools and reference materials during the competition.
2. Please check whether the listed hardware equipment, software list, and material list are complete according to the competition environment provided by the competition, and whether the computer equipment can be used normally.
3. Please read all tasks in each section before doing anything. There may be some correlation between tasks.
4. During the operation, relevant results need to be saved in a timely manner according to the answer requirements. After the competition, all equipment will remain in operation, and the final evaluation will be based on the final results submitted.
5. After the competition is completed, please keep the competition equipment, software and competition questions in your seats. It is prohibited to take all items used in the competition (including test papers, etc.) away from the competition venue.
6. It is prohibited to fill in any marks that are not related to the competition on the submitted materials. If the rules are violated, it will be regarded as 0 points.
Competition content
Module A Infrastructure setup and security reinforcement
(20 points for this module)
1. Project and task description:
Assume that you are a network security engineer of an enterprise. For the enterprise's server system, ensure the normal operation of each service according to task requirements, and comprehensively use user security management and password policies, local security policies, log security audits, database security policies, and Web security. Various security strategies such as reinforcement and firewall strategies are used to improve the network security defense capabilities of the server system. This module requires screenshots of specific task operations and corresponding text descriptions based on the A module answer template provided at the competition site, written in the form of a word document, and saved in PDF format, with "race number + module A" as the file name. , PDF format documents are the only basis for scoring this module.
2. Server environment description
Windows username: administrator, password: 123456
Linux username: root, password: 123456
3. Specific tasks (the score of each task is based on the electronic answer sheet)
A-1 Task 1: Login security reinforcement (Windows)
1. Password policy
a. The password policy must satisfy both uppercase and lowercase letters, numbers, and special characters;
b. Force password history to 5 passwords;
c. The maximum password retention period is 45 days;
d. The minimum password length is no less than 8 characters.
2. User security management
a. Ordinary users are prohibited from using registry editing tools and Ctrl+Alt+Del;
b. Do not display the user name during interactive login;
c. Set up the ownership of files or other objects and assign this permission only to the administrators group;
d. Prohibit ordinary users from using the command prompt;
e. Set not to display the last logged in user name.
A-2 Task 2 Local Security Policy Settings (Windows)
3. Clear the virtual memory page file when shutting down the system;
4. Prohibit the system from shutting down without logging in;
5. Disable floppy disk copying and access to all drives and all folders;
6. Automatic management login is prohibited;
7. Suppress the display of the last logged-in user name.
A-3 Task 3 Log Security Audit (Windows)
8. Enable audit directory service access to the Windows system in the local security policy, and only need to audit failed operations;
9. Enable the audit privilege use of the Windows system in the local security policy. Both successful and failed operations need to be audited;
10. Enable the auditing of system events in the Windows system in the local security policy. Both successful and failed operations need to be audited;
11. Enable the audit account management of the Windows system in the local security policy, and both successful and failed operations will be audited;
12. Enable the audit process tracking of the Windows system in the local security policy. Only failed operations need to be audited.
A-4 Task 4 Database reinforcement (Linux)
13. Run the mysql service safely with the ordinary account mysql, and prohibit mysql from running with administrator account permissions;
14. Delete the default database (test);
15. Change the default mysql administrator user to: SuperRoot;
16. Use mysql’s built-in MD5 encryption function to encrypt the password of user user1 as (P@ssw0rd1!);
17. Grant user1 only select, insert, delete, and update permissions on all tables in the database.
A-5 Task 5 Web Security Hardening (Linux)
18. In order to reduce the load on the website, set the maximum number of concurrent connections to the website to 1000;
19. Prevent file enumeration vulnerabilities from enumerating network server root directory files and prohibit IIS short file names from being leaked;
20. Turn off the WebDAV function of IIS to enhance the security of the website.
A-6 Task 6 Firewall Security Policy (iptables)
21. To ensure security, the Linux system prohibits everyone from connecting through ssh except the IP address 172.16.1.1;
22. During working hours, that is, from 8:30 to 18:00 from Monday to Friday, open the local ftp service to hosts in the 192.168.1.0 network;
23. It is required that the number of data download requests from the ftp service shall not exceed 5 per minute;
24. Reject packets whose TCP flag bits are all 1 and all 0 to access this machine;
25. Configure iptables firewall filtering rules to block the target network segment (172.16.1.0/24) and unblock it after two hours.
Module B Cybersecurity Incident Response, Digital Forensics Investigation and Application Security
(40 points for this module, 4 points for each sub-task)
B-1 Task 1: Linux System Security
*Task description: Only the IP address of Server1 can be obtained
1. Use the penetration testing platform Kali on the local PC to perform a system service and version scanning penetration test on the server scenario Server1, and submit the service version information string corresponding to port 22 in the operation display result as a Flag value;
2. Find the image file in the /var/www directory and submit the file name as the Flag value;
3. Find Flag1 and submit it as the Flag value;
4. Find Flag2 and submit it as Flag value;
5. Find Flag3 and submit it as Flag value.
B-2 Task 2: Vulnerability Scanning and Exploitation
*Task description: Only the IP address of Server2 can be obtained
1. Use the penetration testing platform Kali on the local PC to perform system service and version scanning and penetration testing on the target machine scenario Server2, and output information to the specified file in xml format (use the tool Nmap). Information must be output to the specified file in xml format. The parameters are submitted as Flag values;
2. In the penetration testing platform Kali of the local PC, use the command to initialize the MSF database and submit this command as the Flag value;
3. In the penetration testing platform Kali on the local PC, open MSF, use db_import to import the scan results into the database, view the imported data, and submit the command to be used to view the data as the Flag value;
4. Use the search command in the MSF tool to search for the MS08067 vulnerability exploitation module, and submit the vulnerability disclosure time in the echo results as the Flag value (for example: 2017-10-16);
5. Call the MS08067 vulnerability attack module in the MSF tool, detect whether the target machine has a vulnerability, and submit the last word in the echo result as the Flag value.
B-3 Task Three: Web Security Application
*Task description: Only the IP address of Server3 can be obtained
1. Use the penetration machine to scan the services running in the target machine and submit the complete HTTP service name as the Flag value;
2. Access the HTTP service of the target machine through the penetration machine (using Firefox browser), the URL is http://target machine IP/rececit/enehevibo.php, obtain the plaintext password through password deciphering, and submit the plaintext password as the Flag value;
3. Access the HTTP service of the target machine through the penetration machine (using Firefox browser), the URL is http://target machine IP/irascence/futuresive.php, obtain the plaintext password through password deciphering, and submit the plaintext password as the Flag value;
4. Access the HTTP service of the target machine through the penetration machine (using Firefox browser), the URL is http://target machine IP/economyia/tortly.php, enter the new page through password deciphering, and use the URL address of the new page as Flag value (form: http://172.16.1.1/page path) is submitted;
5. In the new page, obtain the password by decrypting the page content and submit the password as a Flag value;
6. Access the HTTP service of the target machine through the penetration machine (using Firefox browser), the URL is http://target machine IP/corticory/heseur.php, obtain the password by decrypting the page content, and submit the password as the Flag value.
B-4 Task 4: Traffic Analysis
*Task description: Only the IP address of Server4 can be obtained
1. Access the target machine through Kali at http://xxx.xxx.xxx.xxx:8081 (xxx.xxx.xxx.xxx is the IP address of the target machine, for example, 172.16.101.1:8081) to download the file and obtain the traffic package. Decompress the traffic package, obtain the file name in the traffic package and submit it as a Flag value (form: file name.file type);
2. Use wireshark in Kali to analyze the traffic packets downloaded from the server scenario Server4, use the filter expression in HTTP mode to filter the traffic packets of the HTTP GET method, and submit the filter expression command as a Flag value;
3. Analyze the filtered traffic packet based on the echo information in step 2, find the IP address of the Flag value file traffic, and identify the request source of the HTTP traffic packet (the traffic packet downloaded in step 1) that contains the Flag value information. ip is submitted as Flag value;
4. Use wireshark in the penetration testing platform Kali to find the target information file from the IP packet in the traffic packet containing the Flag value information, and submit the file name as the Flag value (form: file name.file type);
5. Use wireshark to analyze the downloaded traffic packet in the penetration testing platform Kali, find out the response IP and response content from the GET/POST request traffic containing Flag value information, and add the response IP of the Flag value request (in the traffic packet IP) is submitted as Flag value;
6. Use the wireshark tool to analyze the data content in the response traffic packet (the response traffic packet corresponding to the Flag value request in step 5), and use the file name in the response data as the Flag value (form: file name.file type) submit;
7. Use the wireshark tool to extract the content in the traffic packet (that is, the file content in the response traffic packet in step 6), and use the shortcut key of the wireshark function that must be used for the extraction operation as the Flag value (xx+xx is the Flag value submission format , such as ctrl+alt+F4) submit;
8. Decompress the file extracted in step 7, and submit the first line of the decompressed file content as the Flag value.
B-5 Task 5: FTP Weak Password Penetration Test
*Task description: Only the IP address of Server5 can be obtained
1. Use the Zenmap tool in the penetration machine Kali2.0 to scan the surviving host IP addresses and designated open ports 21, 22, and 23 within the network segment where Server5 of the server scenario is located (for example: 172.16.101.0/24). And submit the string that must be added to the command used for this operation as the Flag value (ignoring the IP address);
2. Use the penetration machine Kali2.0 to perform a system service and version scanning penetration test on the server scenario Server5, and submit the service port information corresponding to the FTP service in the operation display result as a Flag value;
3. Use the MSF module in the penetration machine Kali2.0 to blast it, use the search command, and submit the name information of the scanned weak password module as the Flag value;
4. Based on the previous question, use the command to call the module and view the information that needs to be configured (use the show options command). The target address that needs to be configured, the password guessing dictionary, thread, and account configuration parameters will be displayed in the echo. The fields are submitted as Flag values (separated by English commas, such as hello, test,...,...);
5. Configure the target IP address in the msf module, and submit the first two words in the configuration command as Flag values;
6. Specify the password dictionary in the msf module, the dictionary path is /root/2.txt, the user name is test, blast the password and submit the obtained password as the Flag value;
7. Based on the previous question, use the password obtained in question 6 to log in to the ftp service, and submit the English words in the image file with Flag value 2.bmp in the directory as the Flag value.
B-6 Task Six: Web Penetration Testing
*Task description: Only the IP address of Server6 can be obtained
1. Use the penetration machine to scan the NBT service in the intranet of the same network segment (using the NBTscan tool), and submit the parameters that must be used to perform intranet scanning as Flag values;
2. Scan the target machine 80 through the penetration machine
The directory of the HTTP service (use the dictionary dict.txt and the tool DirBuster), and use the URL address of the background management page as the Flag value ( Form: http://172.16.1.1/page path) submission;
3. Log in to the background management system of the target machine’s HTTP site through the Firefox browser of the penetrating machine, find the vulnerability location in the background management system, and use the URL address of the vulnerability location as the Flag value (form: http://172.16.1.1/page path )submit;
4. Perform penetration testing on the target machine vulnerability through a penetration machine, and submit the target machine database name as the Flag value;
5. Perform penetration testing on the target machine vulnerability through a penetration machine, and submit the user name of the target machine database as the Flag value;
6. Perform penetration testing on the target machine vulnerability through a penetration machine, and submit the password of the target machine database as a Flag value.
B-7 Mission 7: Man-in-the-Middle Attack Penetration Test
*Task description: Only the IP address of Server7 can be obtained
*Task description: Only the IP address of Server11 can be obtained
1. The server scenario Server7, which has obtained control permissions after penetration through the above topic, performs the operation of viewing the local arp cache table, and submits the command used for the operation as a Flag value;
2. The server scenario Server7, which gained control permission after penetration through the previous topic, performs the operation of clearing the local arp cache table, and submits the command used for the operation as a Flag value;
3. Conduct man-in-the-middle attack penetration testing on server scenario Server7 and server scenario Server11 through the penetration testing platform Kali on the local PC, turn on the routing and forwarding function of the penetration testing platform Kali, and submit the absolute path of the configuration file as a Flag value;
4. Conduct man-in-the-middle attack penetration testing on the server scenario Server7 and server scenario Server11 through the penetration testing platform Kali on the local PC, conduct arp pollution on the client Server7 and server Server11 through the arpspoof command, and use the parameters necessary for this operation as Flag value submission;
5. After the man-in-the-middle penetration attack is successful, the penetration testing platform kali can monitor the login website username and password information submitted by the client Server7 to the login.php page in the server Server11, and use the Chrome browser on the desktop of the server scenario Server7 to access Server11 The Web site of the server scenario is http://Linux target machine ip/login.php. Use the saved user name and password to log in directly, and use the packet capture software wireshark on kali to capture packets, set wireshark filtering rules, and filter all For an HTTP request package whose request method is POST, submit the filter expression to be used as the Flag value (do not add spaces before and after the == symbol);
6. Analyze the captured POST request package, and submit the password of the login website admin user submitted by client Server7 to the login.php page in server Server11 in the POST request content as the Flag value.
B-8 mission eight: application of steganography
*Task description: Only the IP address of Server8 can be obtained
1. Find the files in folder 1 and submit the hidden information in the files as Flag values;
2. Find the files in folder 2 and submit the hidden information in the files as Flag values;
3. Find the files in folder 3 and submit the hidden information in the files as Flag values;
4. Find the files in folder 4 and submit the hidden information in the files as Flag values;
5. Find the files in folder 5 and submit the hidden information in the files as Flag values.
B-9 Task 9: File Upload Penetration Test
*Task description: Only the IP address of Server9 can be obtained
1. Use the penetration machine Kali2.0 to perform a brute force enumeration test of the website directory on the server scenario Server9 (use the tool DirBuster to scan the server port 80), and choose to use a dictionary (use the default dictionary directory-list-2.3-medium.txt) to crack. And set the fuzz test variable to "{dir}", and submit the number in the sixth line from top to bottom in the echo information as the Flag value;
2. Use the penetration machine Kali2.0 to perform a brute force enumeration test of the website directory on the server scenario Server9 (use the tool DirBuster to scan the server port 80). By analyzing the scan results, find the upload point and use Firefox to access the page containing the upload point. And submit the first word in the first line of the page after successful access as the Flag value;
3. After successful access, upload the PHP one-word Trojan named backdoor.php to the server, open the console and use the website security dog to detect whether there is a Trojan locally. If a Trojan is detected, submit the absolute path where the Trojan is located as the Flag value. If no Trojan is detected, submit false;
4. Use the penetration machine Kali2.0 to perform a file upload penetration test on the server scenario Server9. Use the tool weevely to generate a Trojan in the / directory. The name of the Trojan is backdoor.php and the password is pass. This operation uses the fixed characters in the command. The string is submitted as a Flag value;
5. Upload the Trojan backdoor1.php generated using weevely to the server, open the console and use the website security dog to detect whether there is a Trojan locally. If a Trojan is detected, submit the absolute path where the Trojan is located as a Flag value. If it is not detected, The Trojan submits false;
6. Use the penetration machine Kali2.0 to perform a file upload penetration test on the server scenario Server9 (use the tool weevely to connect to the Trojan file on the target server). After the connection is successful, submit the string of the target server host name as the Flag value;
7. Turn on all protections of the website security dog, use weevely again to generate a new Trojan file and upload it to the target server, and submit the second line of the page prompt after uploading as the Flag value;
8. Turn on all protections of the website security dog, use weevely again to generate the Trojan file and upload it to the target server. If the upload can be successful, submit the parameters that must be used to generate the Trojan as the Flag value.
B-10 Mission 10: Host Discovery and Information Collection
*Task description: Only the IP address of Server10 can be obtained
1. Conduct a secret FIN scan of the target drone scene through the penetration machine Kali2.0 (using the Nmap tool), and submit the parameters that must be used in the operation command as Flag values;
2. Conduct a secret FIN scan of the target drone scene through the penetration machine Kali2.0 (using the Nmap tool), and submit the port information on the 7th line from bottom to top in the operation display result as a Flag value;
3. Use the penetration machine Kali2.0 to perform an Xmas Tree scan on the target drone scene (using the Nmap tool), and submit the parameters that must be used in the operation command as Flag values;
4. Use the penetration machine Kali2.0 to perform an Xmas Tree scan on the target drone scene (using the Nmap tool), and submit the service name on the 5th line from bottom to top in the operation display result as a Flag value;
5. Use the penetration machine Kali2.0 to scan and penetrate the target machine scenario using SYN packets instead of ACK packets (using the Nmap tool), and submit the operation using the parameters that must be used in the command as Flag values;
6. Use the penetration machine Kali2.0 to scan and penetrate the target machine scenario using SYN packets instead of ACK packets (using the Nmap tool), and use the service status in the 8th line from bottom to top in the operation display result as Flag value submission;
7. Use the penetration machine Kali2.0 to conduct a parallel scanning penetration test of the target machine scenario with two scanning types, ACK and ICMP (using the Nmap tool), and submit the parameters that must be used in the operation command as the Flag value;
8. Use the penetration machine Kali2.0 to conduct a parallel scanning penetration test of the target machine scenario with two scanning types: ACK and ICMP (using the Nmap tool), and use the service name in the third line from the bottom to the top in the display result of this operation as Flag value is submitted.
Module C CTF Capture the Flag-Attack
(20 points for this module)
1. Project and task description:
Suppose you are a network security penetration testing engineer of a certain company, responsible for the security protection of certain servers of the company, in order to better find various problems and vulnerabilities that may exist in the corporate network. You try to use various attack methods to attack specific targets in order to understand the latest attack methods and technologies, understand the mentality of network hackers, and improve your defense strategies.
Please use Google Chrome on the client to log in to the attack machine based on the information provided in the "Field Parameter Table".
2. Operating system environment description:
Guest operating system: Windows 10
Attack machine operating system: Kali Linux 2019 version
Target server operating system: Linux/Windows
3. Description of the vulnerability:
1. Vulnerabilities in the server may be regular vulnerabilities or system vulnerabilities;
2. The website on the target server may have command injection vulnerabilities. Players are required to find command injection-related vulnerabilities and use this vulnerability to obtain certain permissions;
3. The website on the target machine server may have a file upload vulnerability. Players are required to find the relevant vulnerability for file upload and use this vulnerability to obtain certain permissions;
4. There may be file inclusion vulnerabilities in the website on the target server. Players are required to find the relevant vulnerabilities contained in the files and combine them with other vulnerabilities to obtain certain permissions and escalate them;
5. The services provided by the operating system may contain remote code execution vulnerabilities, requiring users to find remote code execution services and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to gain system permissions;
7. There may be some system backdoors in the operating system. Players can find these backdoors and use the reserved backdoors to directly obtain system permissions.
4. Things to note:
1. You cannot attack the referee server. If you continue to attack after a warning, the participating team will be ordered to leave the field;
2. The Flag value is the unique identifier of each target server, and each target server has only one;
3. After hacking into the target machine, players are not allowed to close the port, change the password, restart or shut down the target machine, delete or modify the Flag, create unnecessary files, etc.;
4. After logging into the automatic scoring system, submit the Flag value of the target server and specify the IP address of the target server;
5. The competition venue is equipped with target drones with different basic scores according to different difficulties. For each target drone server, the first three participating teams to obtain Flag values will receive additional points on top of the basic scores. The total score of each team at this stage will be calculated. Entering stage points, specific extra point rules refer to the competition scoring standards;
6. No additional time will be allowed in this session.
Module D CTF Capture the Flag-Defense
(20 points for this module)
1. Project and task description:
It is assumed that each contestant is a network security engineer of a security company and is responsible for penetration testing and security protection of several servers. These servers may have various problems and vulnerabilities. You need to perform penetration testing and security protection on these servers as soon as possible. Each participating team has its own bastion server, which cannot be accessed by other teams. Contestants use scanning, penetration testing and other means to detect security flaws in their fortress servers and perform targeted reinforcements to improve the security defense performance of the system.
Each player implements system defense by following steps such as discovering points that need reinforcement, implementing reinforcement, and testing the effectiveness of reinforcement. After completing the protection work, each team of players needs to prepare a system defense implementation report by themselves in the form of necessary text descriptions of the implementation steps and screenshots of key processes or key operation results. The implementation report is written in the form of a word document and saved in PDF format, with "race number + module D" as the file name. The PDF format document is the only basis for scoring this module.
Please use Google Chrome on the client to log in to the fortress server that needs to be reinforced based on the information provided in the "Game Parameter Table".
2. Operating system environment description:
Guest operating system: Windows 10
Attack machine operating system: Kali Linux 2019 version
Bastion server operating system: Linux/Windows
3. Description of the vulnerability:
1. Vulnerabilities in the bastion server may be regular vulnerabilities or system vulnerabilities;
2. The website on the bastion server may have command injection vulnerabilities. Players are required to find command injection-related vulnerabilities and use this vulnerability to obtain certain permissions;
3. The website on the bastion server may have file upload vulnerabilities. Players are required to find the relevant file upload vulnerabilities and use this vulnerability to obtain certain permissions;
4. The website on the bastion server may have file inclusion vulnerabilities. Players are required to find the relevant vulnerabilities contained in the files and combine them with other vulnerabilities to obtain certain permissions and escalate them;
5. The services provided by the operating system may contain remote code execution vulnerabilities, requiring users to find remote code execution services and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to gain system permissions;
7. There may be some system backdoors in the operating system. Players can find these backdoors and use the reserved backdoors to directly obtain system permissions.
4. Things to note:
1. When strengthening the system, it is necessary to ensure the availability of external services provided by the bastion server;
2. You cannot attack the referee server. If you continue to attack after a warning, the participating team will be ordered to leave the field;
3. No additional time will be allowed in this session.