2022 National Vocational College Skills Competition (Secondary Vocational School Group)
Cybersecurity competition test questions
(Total score 100 points)
Competition description
1. Introduction to competition projects
The "Cyber Security" competition is divided into four modules: A. Infrastructure setup and security reinforcement; B. Cyber security incident response, digital forensic investigation and application security; C. CTF capture the flag - attack; D. CTF capture the flag - defense. According to the actual situation of the competition, the parameters, expressions and environment of the actual questions used in the competition venue may be appropriately modified. The specific situation is subject to the actual competition questions issued. The competition schedule and score weights are shown in Table 1.
Table 1 Competition schedule and score weighting
| Module number | module name | Competition time (hours) | weight |
|---|---|---|---|
| A | Infrastructure setup and security reinforcement | 3 | 20% |
| B | Cybersecurity incident response, digital forensics investigation and application security | 40% | |
| C | CTF Capture the Flag-Attack | 3 | 20% |
| D | CTF Capture the Flag-Defense | 20% | |
| total | 6 | 100% |
2. Matters needing attention in the competition
1. It is prohibited to carry and use mobile storage devices, calculators, communication tools and reference materials during the competition.
2. Please check whether the listed hardware equipment, software list, and material list are complete according to the competition environment provided by the competition, and whether the computer equipment can be used normally.
3. Please read all tasks in each section before doing anything. There may be some correlation between tasks.
4. During the operation, relevant results need to be saved in a timely manner according to the answer requirements. After the competition, all equipment will remain in operation, and the final evaluation will be based on the final results submitted.
5. After the competition is completed, please keep the competition equipment, software and competition questions in your seats. It is prohibited to take all items used in the competition (including test papers, etc.) away from the competition venue.
6. It is prohibited to fill in any marks that are not related to the competition on the submitted materials. If the rules are violated, it will be regarded as 0 points.
Competition content
Module A Infrastructure setup and security reinforcement
(20 points for this module)
1. Project and task description:
Assume that you are a network security engineer of an enterprise. For the enterprise's server system, ensure the normal operation of each service according to task requirements, and comprehensively use user security management and password policies, Nginx security policies, log monitoring policies, middleware service security policies, Local security policies, firewall policies and other security policies are used to improve the network security defense capabilities of the server system. This module requires screenshots of specific task operations and corresponding text descriptions based on the A module answer template provided at the competition site, written in the form of a word document, and saved in PDF format, with "race number + module A" as the file name. , PDF format documents are the only basis for scoring this module.
2. Server environment description
Windows username: administrator, password: 123456
Linux username: root, password: 123456
3. Specific tasks (the score of each task is based on the electronic answer sheet)
A-1 Task 1: Login security reinforcement (Windows, Linux)
Please make corresponding settings for server Windows and Linux as required to improve server security.
1. Password policy (Windows, Linux)
a. The minimum password length is no less than 13 characters;
b. Password must meet complexity requirements.
2. User security management (Windows)
a. Set to obtain ownership of files or other objects, and assign this permission only to the administrators group;
b. Prohibit ordinary users from using the command prompt;
c. Set not to display the last logged in user name.
A-2 Task 2 Nginx Security Strategy (Linux)
3. Disable directory browsing and hide server version and information display;
4. Restrict HTTP request methods to only allow GET, HEAD, and POST;
5. Set the client request body read timeout to 10;
6. Set the client request header reading timeout to 10;
7. Downgrade the Nginx service and use the www user to start the service.
A-3 Task 3 Log Monitoring (Windows)
8. The security log file size must be at least 128MB, and when the maximum log size limit is reached, logs older than 30 days will be overwritten;
9. The application log file size must be at least 64MB, and when the maximum log size limit is reached, logs older than 15 days will be overwritten;
10. The system log size should be at least 32MB. When the maximum log size limit is reached, events will be overwritten as needed.
A-4 Task 4: Reinforce middleware services SSHD\VSFTPD\IIS (Windows, Linux)
11.SSH service hardening (Linux)
a. Modify the ssh service port to 2222;
b.ssh prohibits root users from logging in remotely;
c. Set up scheduled tasks for the root user. The ssh service is automatically started at 7:50 every morning and closed at 22:50; the ssh service is restarted at 7:30 every Saturday;
d. Modify the SSHD PID file storage location.
12.VSFTPD service hardening (Linux)
a. Set the non-privileged system user running vsftpd to pyftp;
b. Limit the port range for client connections to 50000-60000;
c. Restrict local user login activities to the home directory.
13.IIS hardening (Windows)
a. Turn on the log audit record of IIS (the log file is saved in W3C format, and only records date, time, client IP address, user name, and method);
b. Turn off the WebDAV function of IIS to enhance the security of the website.
A-5 Task 5 Local Security Policy (Windows)
14. Disable anonymous enumeration of SAM accounts;
15. Prohibit the system from shutting down without logging in;
16. Prohibit the storage of passwords and credentials for network authentication;
17. It is prohibited to apply Everyone permission to anonymous users;
18. Forced logout after the login time has expired.
A-6 Task 6 Firewall Strategy (Linux)
19. Set the firewall to allow this machine to forward all data packets except the ICMP protocol;
20. To prevent Nmap and other scanning software from detecting key information, set the iptables firewall policy to process traffic on port 80;
21. To defend against denial of service attacks, set the iptables firewall policy to filter incoming traffic, limit the number of incoming packets allowed to 3 per minute, and set the instantaneous traffic to process a maximum of 6 packets at a time (network data exceeding the upper limit The package will be discarded and not processed);
22. Only DNS resolution request packets from the 172.16.0.0/24 LAN segment are allowed to be forwarded.
Module B Cybersecurity Incident Response, Digital Forensics Investigation and Application Security
(40 points for this module, 4 points for each sub-task)
B-1 Task 1: Host Discovery and Information Collection
*Task description: Only the IP address of Server1 can be obtained
1. Use the Nmap tool in Kali to view local routes and interfaces, and submit all commands used in this operation as Flag values;
2. Conduct VNC service scanning and penetration testing on the target machine scenario through Kali, and submit the script name used as the Flag value (such as MySQL-brute.nse);
3. Use Kali to perform a VNC service scanning penetration test on the target drone scenario, and submit the VNC version number in the operation display result as a Flag value;
4. Use Nmap in Kali to send empty UDP data to perform a denial of service attack on the DNS-like service avahi, and submit the script name used as a Flag value (such as: MySQL-brute.nse);
5. Use Kali to fuzz test the target machine scenario, send abnormal packets to the target machine server, detect vulnerabilities hidden in the server, and submit the script name used as a Flag value (such as: MySQL-brute.nse) ;
6. Use the Zenmap tool in Kali to scan the server scenario for possible remote arbitrary code execution vulnerabilities, and submit the string of the script name used as the Flag value (for example: MySQL-brute.nse);
7. Use the Zenmap tool in Kali to scan the server scenario for possible remote arbitrary code execution vulnerabilities (tip: the detection path is /cgi-bin/bin, you need to add the –script-args uri=/cgi-bin/bin parameter), and add This operation displays the vulnerability number and release time in the results and submits them as Flag values (the strings of vulnerability number and release time are separated by semicolons).
B-2 Task 2: Penetration Testing
*Task description: Only the IP address of Server2 can be obtained
1. Use the search command in the MSF tool to search for the MS12020 RDP denial of service attack module, and submit the vulnerability disclosure time in the echo result as the Flag value (for example: 2012-10-16);
2. Call the auxiliary scanning module of the MS12020 RDP denial of service vulnerability in the MSF tool, and submit the command calling this module as a Flag value;
3. Use the set command to set the target IP and detect whether the target machine has vulnerabilities. Run this module and submit the last word in the second to last line in the echo result as the Flag value;
4. Call and run the attack module of the MS12020 RDP denial of service vulnerability in the MSF tool, and submit the last word in the penultimate line of the echo result after running this module as the Flag value;
5. Enter the target machine to close the remote desktop service, and run the attack module of MS12020
RDP denial of service vulnerability again. Run this module and the last of the second to last line in the echo result will be displayed. A word is submitted as a Flag value.
B-3 Task Three: MYSQL Security Test
*Task description: Only the IP address of Server3 can be obtained
1. Use the tool in the penetration machine scenario kali to determine the MySQL port, and submit the MySQL port as a Flag value;
2. The administrator logged into the database through the web interface and executed select '<?php echo \'<pre>\';system($_GET[\'cmd\']); echo \'</pre> ;\'; ?>' INTO OUTFILE 'C:/phpstudy/test1.php' statement, combined with this execution statement, use the dos command to view the detailed configuration information of the server, and submit the server's system model as the Flag value;
3. Use the msf tool in the penetration machine scenario kali to use the password.txt dictionary file in the root directory to crack the MySQL password, and submit the modules required to crack the MySQL password as the Flag value (the account is root);
4. Use the msf tool in the penetration machine scenario kali to use the password.txt dictionary file in the root directory to crack the MySQL password, and submit the MySQL password as the Flag value (the account is root);
5. Use the database account password in the above question to log in to the database, and select '<?php @eval($_POST[admin]);?>'************ ' ;C:/phpstudy/shell.php' statement submits a one-sentence Trojan named shell.php to the server, and submits the plain text with * in the statement as the Flag value (* is a capital letter or space);
6. Use a kitchen knife to connect to the shell.php in the above question, download the compressed package in the root directory of the server, and submit the Flag value in the compressed package.
B-4 Task 4: Web Security Application
*Task description: Only the IP address of Server4 can be obtained
1. Scan the target machine Linux through the penetration machine and submit the port number of the HTTP service as the Flag value;
2. Infiltrate the HTTP service of the target machine Linux through the penetration machine, and submit the URL address of the Web vulnerability injection point as the Flag value (form: http://172.16.1.1/page path);
3. Access the target machine Windows through the penetration machine, obtain the data packet file with the suffix pcapng, which is the hacker’s penetration test process for the target machine Linux, and submit the file name as the Flag value;
4. Analyze the pcapng packet file through the penetration machine and submit the password used by the hacker to log in to the administrator user as the Flag value;
5. Analyze the pcapng packet file through the penetration machine and submit the valid code in the Trojan file uploaded by the hacker as a Flag value;
6. Use the penetration machine to analyze the pcapng packet file and submit the password used by the hacker to connect to the database as the Flag value.
B-5 Task Five: Website XSS Vulnerability
*Task description: Only the IP address of Server5 can be obtained
1. Enter the target machine website http://target machine IP/kzjb/, use the xsser command in the penetration machine scenario to detect whether there is an XSS vulnerability in the target machine website, and submit the value of the Accur keyword output by the command as the FLAG value;
2. Use the test user (password: 123456) to log in to the drone website, test whether there is an XSS vulnerability on the page in the input box, use JavaScript statements to pop up the "HelloWorld" information on the page, and use the function name required for the pop-up window as the FLAG value submit;
3. Analyze the page where the input box is located and submit the JavaScript function name that appears on the page as the FLAG value;
4. Download the target machine FTP Chinese text file, and upload the downloaded text file content to the website input box. Download the .py file in the target machine FTP and run it. Download the .pyc file in the target machine FTP and run it. Submit the second word in the first line of the .py file output as the FLAG value;
5. Download the php file in the target machine FTP, upload the php file under the http://target machine IP/kzjb/upload.php page, and obtain the content of the C:\flag.txt file and submit it as the FLAG value.
B-6 Mission Six: Data Analysis Digital Forensics
*Task description: Only the IP address of Server6 can be obtained
1. Analyze the Alpha-1.pcapng data packet file under the Server 6 desktop. By analyzing the data packet Alpha-1.pcapng, find out the data packet number of the malicious user's first access to the server, and use this number as the Flag value. submit;
2. Continue to view the packet file Alpha-1.pcapng, analyze which ports have been scanned by malicious users, and use all port numbers from small to large as Flag values (form: port 1, port 2, port 3..., port n) submit;
3. Continue to check the data packet file Alpha-1.pcapng to analyze the user name used by the malicious user to log in to the backend, and submit the user name as the Flag value;
4. Continue to view the data packet file Alpha-1.pcapng and analyze that the malicious user exploited the MIME vulnerability between the number of data packets and the number of data packets, and used the number between the data packets as the Flag value (format :1,30) Submit;
5. Continue to check the data packet file Alpha-1.pcapng to analyze the password used by the malicious user to connect to the one-sentence Trojan, and submit the one-sentence password as the Flag value;
6. Continue to check the data package file Alpha-1.pcapng to analyze the path where the malicious user wrote the Trojan horse for the second time, and submit the changed path, file name and suffix as Flag value;
7. Continue to check the data packet file Alpha-1.pcapng to analyze what files the malicious user downloaded, and submit the file content as a Flag value.
B-7 Task 7: Telnet Weak Password Penetration Test
*Task description: Only the IP address of Server7 can be obtained
1. Use the Zenmap tool in the penetration machine Kali2.0 to scan the surviving host IP addresses and specified open ports 21, 22, and 23 within the network segment where the server scenario Windows is located (for example: 172.16.101.0/24), and perform the operation The string that must be added to the command used is submitted as a Flag value (ignoring the IP address);
2. Use the penetration machine Kali2.0 to perform a system service and version scanning penetration test on the server scenario Windows, and submit the service port information corresponding to the TELNET service in the operation display result as a Flag value;
3. Use the MSF module in the penetration machine Kali2.0 to blast it, use the search command, and submit the name information of the scanned weak password module as the Flag value;
4. Based on the previous question, use the command to call the module and view the information that needs to be configured (use the show options command). The target address that needs to be configured, the password guessing dictionary, thread, and account configuration parameters will be displayed in the echo. The fields are submitted as Flag values (fields are separated by English commas, such as hello, test,...,...);
5. Configure the target IP address in the msf module, and submit the first two words in the configuration command as Flag values;
6. Specify the password dictionary in the msf module, the dictionary path is /root/2.txt, the user name is user, blast the password and submit the obtained password as the Flag value;
7. Based on the previous question, use the password obtained in question 6 to telnet to the target machine, and submit the English words in the Flag value.bmp picture file on the desktop as the Flag value.
B-8 mission eight: Linux system security
*Task description: Only the IP address of Server8 can be obtained
1. Use the local PC penetration testing platform Kali to perform system service and version scanning penetration testing on the server scenario Server8, and submit the service version information string corresponding to port 22 in the operation display result as a Flag value;
2. Find the image file in the /var/www directory and submit the file name as the Flag value;
3. Find Flag1 and submit it as the Flag value;
4. Find Flag2 and submit it as Flag value;
5. Find Flag3 and submit it as Flag value.
B-9 Task 9: Windows operating system penetration testing
*Task description: Only the IP address of Server9 can be obtained
1. Conduct system service and version scanning and penetration testing on the server scenario Server9 through the penetration testing platform Kali on the local PC, and submit the service version information corresponding to the 1433 port in the operation display result as a Flag value (for example, 3.1.4500);
2. Conduct system service and version scanning and penetration testing on the server scenario Server9 through the penetration testing platform Kali on the local PC, and submit the fully qualified domain name of the host of the DNS server as the Flag value;
3. Submit the password of the user with low permissions of the SQL-Server database in the target server (unable to execute command system commands through the database) as a Flag value;
4. Submit the password of the user with higher SQL-Server database permissions in the target server (who can execute system commands through database instructions) as a Flag value;
5. Find the file with the .docx suffix in the 266437 folder in the C:\Windows\system32 folder, and submit the document content as the Flag value;
B-10 Mission 10: Emergency Response
*Task description: Only the IP address of Server10 can be obtained
1. Hackers invaded the local server through the network and plugged a Trojan horse connection on the homepage of the Web server. Please find this connection, delete it, and submit the corresponding title name as the Flag value;
2. A hacker breaks into the local database server, adds a super user with administrator rights other than admin, and submits this user's password as a Flag value;
3. Hackers have invaded the local server and created multiple super users on the local server. Please delete other super administrator users except Administrator user, then enter net user in the command line window, and set the first word to the right of Administrator as Flag. value submission;
4. Hackers have modified the startup content of the server. Please delete unnecessary startup programs and submit the name of the startup program as the Flag value (if there are multiple names separated by English commas, such as: hello, test) ;
5. The hacker has stored a Trojan horse program somewhere on the server. Please find this Trojan horse program, remove the Trojan horse program, and submit the Trojan horse file name as the Flag value.
Module C CTF Capture the Flag-Attack
(20 points for this module)
1. Project and task description:
Suppose you are a network security penetration testing engineer of a certain company, responsible for the security protection of certain servers of the company, in order to better find various problems and vulnerabilities that may exist in the corporate network. You try to use various attack methods to attack specific targets in order to understand the latest attack methods and technologies, understand the mentality of network hackers, and improve your defense strategies.
Please use Google Chrome on the client to log in to the attack machine based on the information provided in the "Field Parameter Table".
2. Operating system environment description:
Guest operating system: Windows 10
Attack machine operating system: Kali Linux 2019 version
Target server operating system: Linux/Windows
3. Description of the vulnerability:
1. Vulnerabilities in the server may be regular vulnerabilities or system vulnerabilities;
2. The website on the target server may have command injection vulnerabilities. Players are required to find command injection-related vulnerabilities and use this vulnerability to obtain certain permissions;
3. The website on the target machine server may have a file upload vulnerability. Players are required to find the relevant vulnerability for file upload and use this vulnerability to obtain certain permissions;
4. There may be file inclusion vulnerabilities in the website on the target server. Players are required to find the relevant vulnerabilities contained in the files and combine them with other vulnerabilities to obtain certain permissions and escalate them;
5. The services provided by the operating system may contain remote code execution vulnerabilities, requiring users to find remote code execution services and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to gain system permissions;
7. There may be some system backdoors in the operating system. Players can find these backdoors and use the reserved backdoors to directly obtain system permissions.
4. Things to note:
1. You cannot attack the referee server. If you continue to attack after a warning, the participating team will be ordered to leave the field;
2. The Flag value is the unique identifier of each target server, and each target server has only one;
3. After hacking into the target machine, players are not allowed to close the port, change the password, restart or shut down the target machine, delete or modify the Flag, create unnecessary files, etc.;
4. After logging into the automatic scoring system, submit the Flag value of the target server and specify the IP address of the target server;
5. The competition venue is equipped with target drones with different basic scores according to different difficulties. For each target drone server, the first three participating teams to obtain Flag values will receive additional points on top of the basic scores. The total score of each team at this stage will be calculated. Entering stage points, specific extra point rules refer to the competition scoring standards;
6. No additional time will be allowed in this session.
Module D CTF Capture the Flag-Defense
(20 points for this module)
1. Project and task description:
It is assumed that each contestant is a network security engineer of a security company and is responsible for penetration testing and security protection of several servers. These servers may have various problems and vulnerabilities. You need to perform penetration testing and security protection on these servers as soon as possible. Each participating team has its own bastion server, which cannot be accessed by other teams. Contestants use scanning, penetration testing and other means to detect security flaws in their fortress servers and perform targeted reinforcements to improve the security defense performance of the system.
Each player implements system defense by following steps such as discovering points that need reinforcement, implementing reinforcement, and testing the effectiveness of reinforcement. After completing the protection work, each team of players needs to prepare a system defense implementation report by themselves in the form of necessary text descriptions of the implementation steps and screenshots of key processes or key operation results. The implementation report is written in the form of a word document and saved in PDF format, with "race number + module D" as the file name. The PDF format document is the only basis for scoring this module.
Please use Google Chrome on the client to log in to the fortress server that needs to be reinforced based on the information provided in the "Game Parameter Table".
2. Operating system environment description:
Guest operating system: Windows 10
Attack machine operating system: Kali Linux 2019 version
Bastion server operating system: Linux/Windows
3. Description of the vulnerability:
1. Vulnerabilities in the bastion server may be regular vulnerabilities or system vulnerabilities;
2. The website on the bastion server may have command injection vulnerabilities. Players are required to find command injection-related vulnerabilities and use this vulnerability to obtain certain permissions;
3. The website on the bastion server may have file upload vulnerabilities. Players are required to find the relevant file upload vulnerabilities and use this vulnerability to obtain certain permissions;
4. The website on the bastion server may have file inclusion vulnerabilities. Players are required to find the relevant vulnerabilities contained in the files and combine them with other vulnerabilities to obtain certain permissions and escalate them;
5. The services provided by the operating system may contain remote code execution vulnerabilities, requiring users to find remote code execution services and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find services with buffer overflow vulnerabilities and use this vulnerability to gain system permissions;
7. There may be some system backdoors in the operating system. Players can find these backdoors and use the reserved backdoors to directly obtain system permissions.
4. Things to note:
1. When strengthening the system, it is necessary to ensure the availability of external services provided by the bastion server;
2. You cannot attack the referee server. If you continue to attack after a warning, the participating team will be ordered to leave the field;
3. No additional time will be allowed in this session.