2022 National Vocational College Skills Competition (Secondary Vocational School Group)
Cybersecurity competition test questions
(Total score 100 points)
Competition description
1. Introduction to competition projects
The "Cyber Security" competition is divided into four modules: A. Infrastructure setup and security reinforcement; B. Cyber security incident response, digital forensic investigation and application security; C. CTF capture the flag - attack; D. CTF capture the flag - defense. According to the actual situation of the competition, the parameters, expressions and environment of the actual questions used in the competition venue may be appropriately modified. The specific situation is subject to the actual competition questions issued. The competition schedule and score weights are shown in Table 1.
Table 1 Competition schedule and score weighting
| Module number | module name | Competition time (hours) | weight |
|---|---|---|---|
| A | Infrastructure setup and security reinforcement | 3 | 20% |
| B | Cybersecurity incident response, digital forensics investigation and application security | 40% | |
| C | CTF Capture the Flag-Attack | 3 | 20% |
| D | CTF Capture the Flag-Defense | 20% | |
| total | 6 | 100% |
2. Matters needing attention in the competition
1. It is prohibited to carry and use mobile storage devices, calculators, communication tools and reference materials during the competition.
2. Please check whether the listed hardware equipment, software list, and material list are complete according to the competition environment provided by the competition, and whether the computer equipment can be used normally.
3. Please read all tasks in each section before doing anything. There may be some correlation between tasks.
4. During the operation, relevant results need to be saved in a timely manner according to the answer requirements. After the competition, all equipment will remain in operation, and the final evaluation will be based on the final results submitted.
5. After the competition is completed, please keep the competition equipment, software and competition questions in your seats. It is prohibited to take all items used in the competition (including test papers, etc.) away from the competition venue.
6. It is prohibited to fill in any marks that are not related to the competition on the submitted materials. If the rules are violated, it will be regarded as 0 points.
Competition content
Module A Infrastructure setup and security reinforcement
(20 points for this module)
1. Project and task description:
Assume that you are a network security engineer of an enterprise. For the enterprise's server system, ensure the normal operation of each service according to task requirements, and comprehensively use user security management and password policies, local security policies, service security configurations, log security audits, and middleware Security configuration, firewall policy and other security strategies to improve the network security defense capabilities of the server system. This module requires screenshots of specific task operations and corresponding text descriptions based on the A module answer template provided at the competition site, written in the form of a word document, and saved in PDF format, with "race number + module A" as the file name. , PDF format documents are the only basis for scoring this module.
2. Server environment description
Windows username: administrator, password: 123456
Linux username: root, password: 123456
3. Specific tasks (the score of each task is based on the electronic answer sheet)
A-1 Task 1: Login security reinforcement (Windows)
1. Password policy
a. Enforce complexity requirements when changing or creating passwords;
b. The password must meet the complexity requirements;
c. The minimum password usage period is 10 days.
2. User security management
a. Disable the guest account and prohibit guest users from accessing the computer or accessing the built-in account of the domain;
b. Find and delete possible backdoor users in the server;
c. Ordinary users perform minimum privilege management, and only administrator accounts can shut down the system;
d. Disable forced shutdown from the remote system and assign this permission only to the administrators group.
A-2 Task 2 Local Security Policy (Windows)
3. Require the user name not to be displayed when logging in;
4. Start prompting users to change their password before expiration 5 days before the password expires;
5. Require any user to press CTRL+ALT+DEL before logging into Windows;
6. Disable anonymous enumeration of SAM accounts and shares;
7. Disable the guest account.
A-3 Task 3 Service Security Configuration (Windows)
8. Disable the NetBIOS protocol on TCP/IP and close the listening UDP 137 (netbios-ns), UDP 138 (netbios-dgm) and TCP 139 (netbios-ssn) ports;
9. Configure the local policy to disable shutting down before logging in;
10. Set a password to be entered when recovering from the screen saver, and set the screen saver to automatically turn on for five minutes;
11. For remote login accounts, set up automatic disconnection after 5 minutes of inactivity.
A-4 Task 4 Log Security Audit (Windows)
12. Enable audit directory service access to Windows systems in the local security policy, and only need to audit failed operations;
13. Enable the audit privilege use of the Windows system in the local security policy. Both successful and failed operations need to be audited;
14. Enable the auditing of Windows system events in the local security policy. Both successful and failed operations need to be audited.
A-5 Task 5 Middleware Security Hardening SSHD\VSFTPD\IIS (Windows, Linux)
15. SSHD service hardening
a. Modify the idle time of the SSH connection interface;
b. Modify the login record level to INFO;
c. Prohibit information from being displayed after logging in.
16. VSFTPD service reinforcement
a. The maximum number of client connections allowed for the same client IP address is 10;
b. The maximum number of client connections is 100;
c. Set the timeout of the data connection to 2 minutes;
d. Set the permission for local users to create files to 022.
17. IIS service hardening
a. Turn off FTP anonymous access;
bIn order to solve the IIS short file name vulnerability, set the URL sequence to ~;
c. Set the maximum number of concurrent connections to the website to 10.
A-6 Task 6 Firewall Policy (Windows)
18. Prohibit any machine from pinging this machine;
19. Prohibit this machine from pinging any machine;
20. Reject packets whose TCP flag bits are all 1 and all 0 to access this machine;
21. It is forbidden to forward data packets from the host with the MAC address 29:0E:29:27:65:EF.
Module B Cybersecurity Incident Response, Digital Forensics Investigation and Application Security
(40 points for this module, 4 points for each sub-task)
B-1 Task 1: Information Collection and Utilization
*Task description: Only the IP address of Server1 can be obtained
1. Use the autoscan tool in the penetration machine Kali2.0 to scan the surviving host addresses within the network segment where Server1 is located in the server scenario (for example: 172.16.101.0/24). Determine whether the network management service is enabled on the surviving host. If it is enabled, scan the host name that enables the SNMP service and submit it as a Flag value;
2. Use the nmap tool in the penetration machine Kali2.0 to perform a UDP scan on the host addresses that survive within the network segment of the server scenario Server1, and determine the opening of the network management service. If it is enabled, scan the port number of the SNMP open as a Flag Value (separate each port with an English semicolon, example 21;23), if it is not open, submit none as the Flag value;
3. Call the snmpwalk tool in the penetration machine Kali2.0 to test whether the server scenario Server1 has enabled the Windows SNMP service (the default string for the community is public, by performing snmpwalk on the .1.3.6.1.2.1.25.1.6 branch of the target machine) Test the opening of the service (SNMP version is v2c), and submit the parameters that must be used in the command used for this operation as Flag values (separate each parameter with an English semicolon, for example a;b);
4. Use the ADMsnmp tool in the penetration machine Kali2.0 to try to guess the community string, and submit all the commands used as Flag values (replace the IP with 192.168.100.10 when submitting the answer, and use the default dictionary snmp.passwd);
5. Replace using the onesixtyone tool to execute the command to view the help option, and submit the entered command as a Flag value;
6. Use onesixtyone in the penetration machine Kali2.0 to guess the group string of the target machine SNMP, and use all the commands used as Flag values (the submitted commands are the commands that must be used after ignoring the IP, the dictionary name is dict.txt )submit;
7. Check the guessing results in the penetration machine Kali2.0, and submit the guessed group string in the echo as the Flag value;
8. Select the new SNMP attack module snmpcheck in the penetration machine Kali2.0, use snmpcheck to collect information about the target machine based on the obtained public group string, and use the parameters that must be used in the command used for this operation as the Flag value submit;
9. Check the obtained system information, and submit the system administrator user and abnormal (hacker) user as Flag value (separate each user with an English semicolon, such as root; user).
B-2 Task 2: Database Penetration Testing
*Task description: Only the IP address of Server2 can be obtained
1. Use the zenmap tool in the penetration machine Kali2.0 to scan the surviving host IP addresses and specified open ports 1433, 3306, and 80 within the network segment where Server2 of the server scenario is located (for example: 172.16.101.0/24). And submit the string that must be used in the command used for the operation as the Flag value;
2. Use the penetration machine Kali2.0 to perform a system service and version scanning penetration test on the server scenario Server2, and submit the service port information corresponding to the database service in the operation display result as a Flag value;
3. Use the MSF module in the penetration machine Kali2.0 to blast it, use the search command, and submit the name of the weak password scanning module as the Flag value;
4. Based on the previous question, use the command to call the module and view the information that needs to be configured (use the show options command). The target address that needs to be configured, the password guessing dictionary, thread, and account configuration parameters will be displayed in the echo. The fields are submitted as Flag values (separated by English commas, such as hello, test,...,...);
5. Configure the target IP address in the msf module, and submit the first two words in the configuration command as Flag values;
6. Specify the password dictionary in the msf module. The dictionary path is /root/2.txt. Explode to obtain the password and submit the obtained password as a Flag value;
7. Switch to the new penetration module in the msf module, use the database service extended stored procedure in the server scenario server2003, and submit the command calling the module as a Flag value;
8. Based on the previous question, use the password obtained in question 6 to escalate privileges. At the same time, use the show options command to view the required configuration, configure CMD parameters to view system users, and submit the configured command as a Flag value. ;
9. Use the msf module to obtain system permissions and view the abnormal (hacker) user of the target system, and submit the user as a Flag value.
B-3 Task Three: Remote File Inclusion
*Task description: Only the IP address of Server3 can be obtained
1. Scan the target machine server and submit the target machine FTP service version as the Flag value;
2. Enter the target drone website http://target drone IP/rfi/ and upload the image Trojan file under the target drone file transfer service, and use the URL address after the file is uploaded as the Flag value (form: http://192.168.1.1/ file path) submit;
3. View the contents of the /etc/passwd file and submit the username with uid 10003 as the Flag value;
4. Execute the php file in the target machine file transfer service and submit the output pop-up information as the Flag value;
5. Download the php file from the drone file transfer service and fill in the content. Execute the complete php file and submit the complete URL as the Flag value (form: http://192.168.1.1/page path);
6. Check the target machine kernel version and submit the target machine kernel version as the Flag value.
B-4 Task 4: Windows System Security
*Task description: Only the IP address of Server4 can be obtained
1. Use the penetration testing platform Kali on the local PC to perform system service and version scanning penetration testing on the server scenario Server4, and submit the service status information string corresponding to port 21 in the operation display result as a Flag value;
2. Submit the preferred DNS server address as the Flag value;
3. Find Flag1 and submit it as the Flag value;
4. Find Flag2 and submit it as Flag value;
5. Submit the password of the system’s highest authority administrator account as the Flag value.
B-5 Task 5: MYSQL information collection
*Task description: Only the IP address of Server5 can be obtained
1. Use the penetration testing tool in the penetration machine scenario Kali to perform a service information scanning penetration test on the server scenario MySQL03 (using the Nmap tool), and submit the database version information in the operation display result as a Flag value;
2. Use the penetration testing tool in the penetration machine scenario Kali to violently crack the database of the server scenario MySQL03, and submit the database password as the Flag value (dictionary/root/mysql03.txt);
3. Remotely connect to the database of the server scenario MySQL03 through the penetration machine scenario Kali, and submit the number of libraries in the database as a Flag value;
4. Query the status of the database of the server scenario MySQL03 through the penetration machine scenario Kali, and submit the version in the database status as a Flag value;
5. Use the penetration machine scenario Kali to query the database in the server scenario MySQL03 for the currently used database, and submit the database name as the Flag value;
6. Query all user information of the database in the server scenario MySQL03 through the penetration machine scenario Kali, and submit the second-to-last user name as the Flag value;
7. Use the penetration machine scenario Kali to query the data file storage path of the database in the server scenario MySQL03, and submit the storage path as a Flag value;
B-6 Task Six: Web Penetration Testing
*Task description: Only the IP address of Server6 can be obtained
1. Get the PHP version number and submit it as a Flag value (for example: 5.2.14);
2. Get the version number of the MySQL database and submit it as a Flag value (for example: 5.0.22);
3. Obtain the kernel version number of the system and submit it as a Flag value (for example: 2.6.18);
4. Obtain the password of the website backend administrator admin user and submit it as a Flag value;
5. Find the txt file in the /root directory and submit the file content as the Flag value.
B-7 Task 7: Web Security Application
*Task description: Only the IP address of Server7 can be obtained
1. Scan the port of the target machine through the penetration machine (using the Nmap tool), and submit the service name of the HTTP service as the Flag value;
2. Use the Firefox browser of the penetration machine to access the target HTTP service root directory, find the injection point according to the page prompts, and submit the URL address of the injection point as the Flag value (form: http://172.16.1.1/page path);
3. Conduct penetration testing through the injection point of the target web application service, and submit the database name used by the current web application service as the Flag value;
4. Conduct a penetration test on the target injection point, and submit the table name of the second table (sorted in alphabetical order a-z) in the database used by the current web application service as the Flag value;
5. Access the target machine's HTTP service through the penetration machine, obtain the password of the site's backend administrator user, and submit the password as a Flag value.
B-8 Mission 8: Data Analysis Digital Forensics
*Task description: Only the IP address of Server8 can be obtained
1. Analyze the Bravo-1.pcapng data packet file under the Server8 desktop, find out the second directory name scanned by the malicious user directory by analyzing the data packet Bravo-1.pcapng, and submit the directory name as a Flag value;
2. Continue to view the data package file Bravo-1.pcapng, analyze the directory through which the malicious user wrote the one-sentence Trojan, and submit the directory name as the Flag value;
3. Continue to check the data package file Bravo-1.pcapng to analyze what files the malicious user has read on the server, and submit the file name and suffix as the Flag value;
4. Continue to check the data package file Bravo-1.pcapng to analyze the path where the malicious user writes the one-sentence Trojan, and submit the path as the Flag value;
5. Continue to check the data package file Bravo-1.pcapng to analyze the password used by the malicious user to connect to the one-sentence Trojan, and submit the one-sentence Trojan as the Flag value;
6. Continue to check the data package file Bravo-1.pcapng to analyze what files the malicious user downloaded, and submit the file name and suffix as Flag values;
7. Continue to view the data package file Bravo-1.pcapng and submit the database name connected to the Web server as the Flag value.
B-9 Mission 9: CVE-2019-0708 vulnerability exploitation
*Task description: Only the IP address of Server9 can be obtained
1. Use the penetration testing platform Kali on the local PC to perform system service and version scanning and penetration testing on the target machine scenario Server1, and output information to the specified file in xml format (use the tool Nmap). The information will be output to the specified file in xml format and must be used. The parameters are submitted as Flag values;
2. In the penetration testing platform Kali of the local PC, use the command to initialize the MSF database and submit this command as the Flag value;
3. In the penetration testing platform Kali on the local PC, open MSF, use db_import to import the scan results into the database, view the imported data, and submit the command to be used to view the data as the Flag value;
4. Use the search command in the MSF tool to search for the CVE-2019-0708 vulnerability exploitation module, and submit the vulnerability disclosure time in the echo result as the Flag value (such as: 2017-10-16);
5. Call the CVE-2019-0708 vulnerability attack module in the MSF tool, detect whether the target machine has a vulnerability, and submit the last word in the echo result as the Flag value.
B-10 Task 10: Wireshark packet analysis
*Task description: Only the IP address of Server10 can be obtained
1. Use Wireshark to view and analyze the capture4.pcap data package file under the PYsystem20191 desktop, find out the account password obtained by the hacker that can successfully log in to the target server FTP, and use the account password obtained by the hacker as the Flag value (user name and password Separate them with English commas, for example: root,toor) submit;
2. Continue to analyze the data packet capture4.pcap, find out the time when the hacker used the obtained account and password to log in to FTP, and submit the time when the hacker logged in to FTP as a Flag value (for example: 14:22:08);
3. Continue to analyze the data packet capture4.pcap, find out the FTP service version number obtained by the hacker when connecting to the FTP server, and submit the obtained FTP service version number as the Flag value;
4. Continue to analyze the data packet capture4.pcap, find out the first command executed by the hacker after successfully logging into the FTP server, and submit the executed command as a Flag value;
5. Continue to analyze the data packet capture4.pcap, find out the key files downloaded by the hacker after successfully logging into the FTP server, and submit the downloaded file name as the Flag value;
6. Continue to analyze the data packet capture4.pcap to find out the user name and password that the hacker brute force cracked the target server Telnet service and successfully obtained, and use the obtained user name and password as the Flag value (the user name and password are separated by English Comma separated, for example: root,toor) commit;
7. Continue to analyze the data packet capture4.pcap, find out the file added by the hacker in the root directory of the server website, and submit the file name as the Flag value;
8. Continue to analyze the data packet capture4.pcap, find out the user added by the hacker in the server system, and use the added user name and password as the Flag value (the user name and password are separated by English commas, for example: root, toor) submit.
Module C CTF Capture the Flag-Attack
(20 points for this module)
1. Project and task description:
Suppose you are a network security penetration testing engineer of a certain company, responsible for the security protection of certain servers of the company, in order to better find various problems and vulnerabilities that may exist in the corporate network. You try to use various attack methods to attack specific targets in order to understand the latest attack methods and technologies, understand the mentality of network hackers, and improve your defense strategies.
Please use Google Chrome on the client to log in to the attack machine based on the information provided in the "Field Parameter Table".
2. Operating system environment description:
Guest operating system: Windows 10
Attack machine operating system: Kali Linux 2019 version
Target server operating system: Linux/Windows
3. Description of the vulnerability:
1. Vulnerabilities in the server may be regular vulnerabilities or system vulnerabilities;
2. The website on the target server may have command injection vulnerabilities. Players are required to find command injection-related vulnerabilities and use this vulnerability to obtain certain permissions;
3. The website on the target machine server may have a file upload vulnerability. Players are required to find the relevant vulnerability for file upload and use this vulnerability to obtain certain permissions;
4. There may be file inclusion vulnerabilities in the website on the target server. Players are required to find the relevant vulnerabilities contained in the files and combine them with other vulnerabilities to obtain certain permissions and escalate them;
5. The services provided by the operating system may contain remote code execution vulnerabilities, requiring users to find remote code execution services and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to gain system permissions;
7. There may be some system backdoors in the operating system. Players can find these backdoors and use the reserved backdoors to directly obtain system permissions.
4. Things to note:
1. You cannot attack the referee server. If you continue to attack after a warning, the participating team will be ordered to leave the field;
2. The Flag value is the unique identifier of each target server, and each target server has only one;
3. After hacking into the target machine, players are not allowed to close the port, change the password, restart or shut down the target machine, delete or modify the Flag, create unnecessary files, etc.;
4. After logging into the automatic scoring system, submit the flag value of the target server and specify the IP address of the target server;
5. The competition venue is equipped with target drones with different basic scores according to different difficulties. For each target drone server, the first three participating teams to obtain Flag values will receive additional points on top of the basic scores. The total score of each team at this stage will be calculated. Entering stage points, specific extra point rules refer to the competition scoring standards;
6. No additional time will be allowed in this session.
Module D CTF Capture the Flag-Defense
(20 points for this module)
1. Project and task description:
It is assumed that each contestant is a network security engineer of a security company and is responsible for penetration testing and security protection of several servers. These servers may have various problems and vulnerabilities. You need to perform penetration testing and security protection on these servers as soon as possible. Each participating team has its own bastion server, which cannot be accessed by other teams. Contestants use scanning, penetration testing and other means to detect security flaws in their fortress servers and perform targeted reinforcements to improve the security defense performance of the system.
Each player implements system defense by following steps such as discovering points that need reinforcement, implementing reinforcement, and testing the effectiveness of reinforcement. After completing the protection work, each team of players needs to prepare a system defense implementation report by themselves in the form of necessary text descriptions of the implementation steps and screenshots of key processes or key operation results. The implementation report is written in the form of a word document and saved in PDF format, with "race number + module D" as the file name. The PDF format document is the only basis for scoring this module.
Please use Google Chrome on the client to log in to the fortress server that needs to be reinforced based on the information provided in the "Game Parameter Table".
2. Operating system environment description:
Guest operating system: Windows 10
Attack machine operating system: Kali Linux 2019 version
Bastion server operating system: Linux/Windows
3. Description of the vulnerability:
1. Vulnerabilities in the bastion server may be regular vulnerabilities or system vulnerabilities;
2. The website on the bastion server may have command injection vulnerabilities. Players are required to find command injection-related vulnerabilities and use this vulnerability to obtain certain permissions;
3. The website on the bastion server may have file upload vulnerabilities. Players are required to find the relevant file upload vulnerabilities and use this vulnerability to obtain certain permissions;
4. The website on the bastion server may have file inclusion vulnerabilities. Players are required to find the relevant vulnerabilities contained in the files and combine them with other vulnerabilities to obtain certain permissions and escalate them;
5. The services provided by the operating system may contain remote code execution vulnerabilities, requiring users to find remote code execution services and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to gain system permissions;
7. There may be some system backdoors in the operating system. Players can find these backdoors and use the reserved backdoors to directly obtain system permissions.
4. Things to note:
1. When strengthening the system, it is necessary to ensure the availability of external services provided by the bastion server;
2. You cannot attack the referee server. If you continue to attack after a warning, the participating team will be ordered to leave the field;
3. No additional time will be allowed in this session.