2024 Gansu Vocational College Skills Competition (Secondary Vocational Teacher Group) Network Security Competition Sample Question Paper ③

2024 Gansu Vocational College Skills Competition (Secondary Vocational Teacher Group) Network Security Competition Sample Question Paper ③

1. Competition time
Total: 360 minutes
2. Competition stage
3. Contents of the competition mission statement
(1) Topology map

Module A Infrastructure Settings/Security Reinforcement (200 points)

1. Project and task description:
Assume that you are a network security engineer of an enterprise. For the enterprise's server system, ensure the normal operation of each service according to the task requirements, and comprehensively use login security reinforcement, database security policy, traffic integrity policy, and events Monitoring strategies, firewall strategies, IP protocol security configuration and other security strategies are used to improve the network security defense capabilities of the server system. This module requires screenshots of specific task operations and corresponding text descriptions based on the A module answer template provided at the competition site, written in the form of a word document, and saved in PDF format, with "race number + module A" as the file name. , PDF format documents are the only basis for scoring this module.
2. Server environment description
Windows username: administrator, password: 123456
Linux username: root, password: 123456
3. Specific tasks (the score of each task is based on the electronic answer sheet)

A-1 Task 1 Login Security Hardening (Windows, Linux)

Please make corresponding settings for server Windows and Linux as required to improve server security.
1. Password policy (Windows, Linux)
a. The minimum password length is no less than 13 characters;
b. The password must meet the complexity requirements.
2. User security management (Windows)
a. Set to obtain ownership of files or other objects, and assign this permission only to the administrators group; b
. Prohibit ordinary users from using the command prompt;
c. Set not to display the user name of the last login.

A-2 Task 2 Nginx Security Strategy (Linux)

3. Disable directory browsing and hide server version and information display;
4. Restrict HTTP request methods, only allowing GET, HEAD, and POST;
5. Set the client request body reading timeout to 10;
6. Set the client request header reading Set the timeout period to 10;
7. Downgrade the Nginx service and use the www user to start the service.

A-3 Task 3 Log Monitoring (Windows)

8. The size of the security log file must be at least 128MB. When the maximum log size limit is reached, logs older than 30 days will be overwritten. 9. The
application log file size must be at least 64MB. When the maximum log size limit is reached, logs older than 30 days will be overwritten. 15 days of logs;
10. The system log size must be at least 32MB. When the maximum log size limit is reached, events will be overwritten as needed.

A-4 Task 4 Middleware Service Hardening SSHD\VSFTPD\IIS (Windows, Linux)

11. SSH service hardening (Linux)
a. Modify the ssh service port to 2222;
b. Disable root user remote login via ssh;
c. Set scheduled tasks for the root user. The ssh service is automatically started at 7:50 every morning and closed at 22:50; the ssh service is restarted at 7:30 every Saturday;
d. Modify the SSHD PID file storage location.
12. VSFTPD service hardening (Linux)
a. Set the non-privileged system user running vsftpd to pyftp;
b. Limit the port range of client connections to 50000-60000;
c. Limit local user login activities to the home directory.
13. IIS hardening (Windows)
a. Turn on the log audit record of IIS (the log file saving format is W3C, only record date, time, client IP address, user name, method); b.
Turn off the WebDAV function of IIS to enhance the website safety.

A-5 Task Five Local Security Policy (Windows)

14. It is forbidden to enumerate SAM accounts anonymously;
15. It is forbidden to shut down the system without logging in;
16. It is forbidden to store passwords and credentials for network authentication;
17. It is forbidden to apply Everyone permission to anonymous users;
18. After exceeding the login time Then force logout.

A-6 Mission Six Firewall Strategy (Linux)

19. Set the firewall to allow the machine to forward all data packets except the ICMP protocol;
20. To prevent scanning software such as Nmap from detecting key information, set the iptables firewall policy to process traffic on port 80;
21. To defend against denial of service attacks, Set the iptables firewall policy to filter incoming traffic, limit the incoming packets to 3 per minute, and set the instantaneous traffic to process up to 6 packets at a time (network packets exceeding the upper limit will be discarded and not processed);
22. Only DNS resolution request packets from the 172.16.0.0/24 LAN segment are allowed to be forwarded.

Module B Cybersecurity incident response, digital forensic investigation and application security (40 points for this module)

B-1 Task 1: Host Discovery and Information Collection

Task description: Only the IP address of Server1 can be obtained.
1. Use the Nmap tool in Kali to view local routes and interfaces, and submit all commands used for this operation as Flag values;
2. Use Kali to scan and penetrate the VNC service of the target machine scene. Test, and submit the script name used as the Flag value (such as: MySQL-brute.nse);
3. Use Kali to conduct a VNC service scanning penetration test on the target machine scenario, and use the VNC version number in the operation display result as the Flag value Submit;
4. Use Nmap in Kali to send empty UDP data to perform a denial of service attack on the DNS-like service avahi, and submit the used script name as the Flag value (such as: MySQL-brute.nse);
5. Target through Kali Perform fuzz testing on the machine scenario to send abnormal packets to the target server, detect vulnerabilities hidden in the server, and submit the script name used as a Flag value (such as: MySQL-brute.nse);
6. In Kali Use the Zenmap tool to scan server scenarios for possible remote arbitrary code execution vulnerabilities, and submit the string of the script name used as a Flag value (such as: MySQL-brute.nse);
7. Use the Zenmap tool to scan server scenarios in Kali for possible remote arbitrary code execution vulnerabilities There is a remote arbitrary code execution vulnerability (tip: the detection path is /cgi-bin/bin, you need to add the –script-args uri=/cgi-bin/bin parameter), and the vulnerability number and release time in the operation display result are used as Flag Value (a semicolon-separated string between vulnerability number and release time) is submitted.

B-2 Task 2: Penetration Testing

Task description: Only the IP address of Server2 can be obtained.
1. Use the search command in the MSF tool to search for the MS12020 RDP denial of service attack module, and submit the vulnerability disclosure time in the echo result as the Flag value (for example: 2012-10-16);
2. Call the auxiliary scanning module of the MS12020 RDP denial of service vulnerability in the MSF tool, and submit the command calling this module as a Flag value;
3. Use the set command to set the target IP, and detect whether the target machine has a vulnerability. Run this module to The last word in the second to last line in the echo result is submitted as the Flag value;
4. Call and run the attack module of the MS12020 RDP denial of service vulnerability in the MSF tool, and the last word in the first to last line in the echo result will be run. Submit a word as the Flag value;
5. Enter the target computer and close the remote desktop service, run the MS12020
RDP denial of service vulnerability attack module again, run this module and submit the last word in the second to last line in the echo result as the Flag value.

B-3 Task Three: MYSQL Security Test

Task description: Only the IP address of Server3 can be obtained.
1. Use the tool in the penetration machine scenario kali to determine the MySQL port, and submit the MySQL port as a Flag value;
2. The administrator has logged in to the database on the web interface and executed select '< ?php echo \'

\';system($_GET[\'cmd\']); echo \'

\'; ?>' INTO OUTFILE 'C:/phpstudy/test1.php' statement, combined with this execution statement, use the dos command to view the detailed configuration information of the server, and submit the system model of the server as the Flag value;
3. Use the penetration machine The msf tool in the scenario kali uses the password.txt dictionary file in the root directory to crack the MySQL password, and submits the modules required to crack the MySQL password as a Flag value (the account is root);
4. Use the penetration machine in the scenario kali The msf tool uses the password.txt dictionary file in the root directory to crack the MySQL password, and submits the MySQL password as a Flag value (the account is root);
5. Use the database account password in the above question to log in to the database, and select '< ?php @eval($_POST[admin]);?>'************ 'C:/phpstudy/shell.php' statement submits a one-sentence Trojan named shell.php to the server , submit the plain text marked * in the statement as the Flag value (* is a capital letter or a space);
6. Use a kitchen knife to connect to the shell.php in the above question, download the compressed package in the root directory of the server, and change the Flag value in the compressed package submit.

B-4 Task 4: Web Security Application

Task description: Only the IP address of Server4 can be obtained

1. Scan the target machine Linux through the penetration machine and submit the port number of the HTTP service as the Flag value;
2. Infiltrate the HTTP service of the target machine Linux through a penetrating machine, and submit the URL address of the Web vulnerability injection point as the Flag value (form: http://172.16.1.1/page path);
3. Access the target machine Windows through the penetration machine, obtain the data packet file with the suffix name pcapng, which is the hacker's penetration test process for the target machine Linux, and submit the file name as the Flag value;
4. Analyze the pcapng packet file through the penetration machine and submit the password used by the hacker to log in to the administrator user as the Flag value;
5. Use the penetration machine to analyze the pcapng packet file and submit the valid code in the Trojan file uploaded by the hacker as a Flag value;
6. Use the penetration machine to analyze the pcapng packet file and submit the password used by the hacker to connect to the database as a Flag value.

B-5 Task Five: Website XSS Vulnerability

Task description: Only the IP address of Server5 can be obtained.
1. Enter the target machine website http://target machine IP/kzjb/, use the xsser command in the penetration machine scenario to detect whether there is an The value of the word is submitted as the FLAG value;
2. Use the test user (password: 123456) to log in to the drone website, test whether the page has an XSS vulnerability in the input box, use JavaScript statements to pop up the "HelloWorld" information on the page, and remove the Submit the required function name as a FLAG value;
3. Analyze the page where the input box is located, and submit the JavaScript function name that appears on the page as a FLAG value;
4. Download the FTP Chinese text file of the target machine, and upload the downloaded text file content to the website input box. Download the .py file in the target machine FTP and run it. Download the .pyc file in the target machine FTP and run it. Submit the second word in the first line of the .py file output as the FLAG value;
5. Download the php file in the target machine FTP, upload the php file under the http://target machine IP/kzjb/upload.php page, and obtain C :\flag.txt file content is submitted as FLAG value.

B-6 Mission Six: Data Analysis Digital Forensics

Task description: Only the IP address of Server6 can be obtained.
1. Analyze the Alpha-1.pcapng data packet file under the Server6 desktop, and find out the data packet number of the malicious user's first access to the server by analyzing the data packet Alpha-1.pcapng. number, and submit the number as Flag value;
2. Continue to view the data packet file Alpha-1.pcapng, analyze which ports have been scanned by malicious users, and use all port numbers from small to large as Flag values ​​(form: port 1, Port 2, Port 3..., Port n) Submit;
3. Continue to view the data packet file Alpha-1.pcapng to analyze the user name used by the malicious user to log in to the backend, and submit the user name as the Flag value;
4. Continue to view the data packet file Alpha-1.pcapng and analyze that the malicious user exploited the MIME vulnerability between the number of data packets and the number of data packets, and used the number between the data packets as the Flag value (format: 1 ,30) Submit;
5. Continue to view the data package file Alpha-1.pcapng to analyze the password used by the malicious user to connect to the one-sentence Trojan, and submit the one-sentence password as the Flag value;
6. Continue to view the data package file Alpha-1 .pcapng analyzes the path where the malicious user wrote the Trojan horse for the second time, and submits the changed path, file name and suffix as the Flag value;
7. Continue to view the data package file Alpha-1.pcapng and analyzes the path where the malicious user downloaded it. What file and submit the file content as Flag value.

B-7 Task 7: Telnet Weak Password Penetration Test

*Task description: Only the IP address of Server7 can be obtained.
1. Use the Zenmap tool in the penetration machine Kali2.0 to scan the surviving host IP addresses and specified open ones within the network segment where the server scene Windows is located (for example: 172.16.101.0/24). 21, 22, and 23 ports, and submit the string that must be added to the command used for this operation as a Flag value (ignoring the IP address);
2. Use the penetration machine Kali2.0 to scan and penetrate the system services and versions of the server scenario Windows Test, and submit the service port information corresponding to the TELNET service in the operation display result as a Flag value;
3. Use the MSF module in the penetration machine Kali2.0 to blast it, use the search command, and scan the name of the weak password module The information is submitted as a Flag value;
4. Based on the previous question, use the command to call the module, and check the information that needs to be configured (use the show options command), and the target address that needs to be configured and the guessing dictionary for the password will be displayed in the echo. , the fields of thread and account configuration parameters are submitted as Flag values ​​(fields are separated by English commas, such as hello, test,...,...);
5. Configure the IP address of the target machine in the msf module, and replace the first part of the configuration command with Submit the two words as Flag values;
6. Specify the password dictionary in the msf module, the dictionary path is /root/2.txt, the user name is user, blast the password and submit the obtained password as the Flag value;
7. In the previous step Based on the question, use the password obtained in question 6 to telnet to the target machine, and submit the English words in the Flag value.bmp picture file on the desktop as the Flag value.

B-8 mission eight: Linux system security

Task description: Only the IP address of Server8 can be obtained.
1. Use the penetration testing platform Kali on the local PC to perform a system service and version scanning penetration test on the server scenario Server8, and use the service version information string corresponding to port 22 in the operation display result as Submit the Flag value;
2. Find the image file in the /var/www directory and submit the file name as the Flag value;
3. Find Flag1 and submit it as the Flag value;
4. Find Flag2 and submit it as the Flag value;
5. Find Flag3 and submit it as the Flag value submit.

B-9 Task 9: Windows operating system penetration testing

Task description: Only the IP address of Server9 can be obtained.
1. Use the penetration testing platform Kali in the local PC to perform system service and version scanning and penetration testing on the server scenario Server9, and use the service version information corresponding to the 1433 port in the operation display result as the Flag value. (for example, 3.1.4500) Submit;
2. Conduct system service and version scanning penetration testing on the server scenario Server9 through the penetration testing platform Kali on the local PC, and submit the fully qualified domain name of the host of the DNS server as the Flag value;
3. Submit the target server in Submit the password of the user with low SQL-Server database permissions (cannot execute system commands through the database) as a Flag value;
4. Submit the password of the user with higher SQL-Server database permissions in the target server (can execute system commands through database instructions) as the Flag value Submit the value;
5. Find the file with the suffix .docx in the 266437 folder in the C:\Windows\system32 folder, and submit the document content as the Flag value;

B-10 Mission 10: Emergency Response

Task description: Only the IP address of Server10 can be obtained.
1. Hackers invaded the local server through the network and plugged a Trojan horse connection on the homepage of the Web server. Please find this connection and delete it, and use the corresponding title name as the Flag value. Submit;
2. The hacker breaks into the local database server, and adds a super user with administrator rights other than admin, and submits this user's password as a Flag value;
3. The hacker breaks into the local server and creates a database on the local server. There are multiple super users. Please delete other super administrator users except the Administrator user, then enter net user in the command line window, and submit the first word to the right of Administrator as the Flag value;
4. The hacker modified the startup content of the server. , please delete unnecessary startup programs and submit the name of the startup program as a Flag value (if there are multiple names separated by commas, such as: hello, test);
5. The hacker stores it somewhere on the server. A Trojan horse program has been found. Please find the Trojan horse program, remove the Trojan horse program, and submit the Trojan horse file name as the Flag value.

Module C CTF Capture the Flag-Attack (20 points for this module)

1. Project and task description:
Assume that you are a network security penetration testing engineer of a certain enterprise, responsible for the security protection of certain servers of the enterprise, in order to better find various problems and vulnerabilities that may exist in the enterprise network. You try to use various attack methods to attack specific targets in order to understand the latest attack methods and technologies, understand the mentality of network hackers, and improve your defense strategy.
Please use Google Chrome on the client to log in to the attack machine based on the information provided in the "Field Parameter Table".
2. Operating system environment description:
Client operating system: Windows 10
Attack machine operating system: KaliLinux 2019 version
Target server operating system: Linux/Windows
3. Vulnerability description:
1. Vulnerabilities in the server may be regular vulnerabilities or system vulnerabilities Vulnerabilities;
2. The website on the target server may have a command injection vulnerability, and players are required to find the command injection-related vulnerability and use this vulnerability to obtain certain permissions;
3. The website on the target server may have a file upload vulnerability, and players are required to find it Vulnerabilities related to file upload, use this vulnerability to obtain certain permissions;
4. The website on the target server may have file inclusion vulnerabilities, requiring players to find the relevant vulnerabilities contained in the files, combine them with other vulnerabilities to obtain certain permissions and escalate privileges;
5. The services provided by the operating system may contain remote code execution vulnerabilities, requiring users to find remote code execution services and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to Find the service with the buffer overflow vulnerability and use this vulnerability to obtain system permissions;
7. There may be some system backdoors in the operating system. Players can find this backdoor and use the reserved backdoors to directly obtain system permissions.
4. Notes:
1. You cannot attack the referee server. If you continue to attack after a warning, the participating team will be ordered to leave the field;
2. The Flag value is the unique identifier of each target server, and each target server only has There is 1;
3. After hacking into the target machine, players are not allowed to close the port, change the password, restart or shut down the target machine, delete or modify the Flag, create unnecessary files, etc.;
4. After logging in to the automatic scoring system , submit the Flag value of the target machine server, and also need to specify the IP address of the target machine server;
5. The competition venue has target machines with different basic scores according to different difficulties. For each target machine server, the first three entries that obtain the Flag value The team will add extra points to the basic points. The total points of each team in this stage will be included in the stage score. The specific extra point rules refer to the competition scoring standards;
6. No additional time will be allowed in this link.

Module DCTF Capture the Flag-Defense (20 points for this module)

1. Project and task description:
It is assumed that each contestant is a network security engineer of a security company, responsible for penetration testing and security protection of several servers. These servers may have various problems and vulnerabilities. You need to perform penetration testing and security protection on these servers as soon as possible. Each participating team has its own bastion server, which cannot be accessed by other teams. Contestants use scanning, penetration testing and other means to detect security flaws in their fortress servers and perform targeted reinforcements to improve the security defense performance of the system.
Each player implements system defense by following steps such as discovering points that need reinforcement, implementing reinforcement, and testing the effectiveness of reinforcement. After completing the protection work, each team of players needs to prepare a system defense implementation report by themselves in the form of necessary text descriptions of the implementation steps and screenshots of key processes or key operation results. The implementation report is written in the form of a word document and saved in PDF format, with "race number + module D" as the file name. The PDF format document is the only basis for scoring this module.
Please use Google Chrome on the client to log in to the fortress server that needs to be reinforced based on the information provided in the "Game Parameter Table".
2. Operating system environment description:
Client operating system: Windows 10
Attack machine operating system: KaliLinux 2019 version
Bastion server operating system: Linux/Windows
3. Vulnerability description:
1. Vulnerabilities in the bastion server may be regular vulnerabilities or system vulnerabilities Vulnerabilities;
2. The website on the bastion server may have command injection vulnerabilities, and players are required to find command injection-related vulnerabilities and use this vulnerability to obtain certain permissions;
3. The website on the bastion server may have file upload vulnerabilities, and players are required to find file upload vulnerabilities. Related vulnerabilities, use this vulnerability to obtain certain permissions;
4. The website on the bastion server may have file inclusion vulnerabilities. Players are required to find the relevant vulnerabilities contained in the files, combine them with other vulnerabilities to obtain certain permissions and escalate privileges;
5. Operation The services provided by the system may contain remote code execution vulnerabilities, requiring users to find remote code execution services, and use this vulnerability to obtain system permissions;
6. The services provided by the operating system may contain buffer overflow vulnerabilities, requiring users to find buffers services that overflow vulnerabilities, and use this vulnerability to obtain system permissions;
7. There may be some system backdoors in the operating system, and contestants can find this backdoor and use the reserved backdoors to directly obtain system permissions.
4. Notes:
1. When strengthening the system, it is necessary to ensure the availability of external services provided by the bastion server;
2. The referee server cannot be attacked. If the attack continues after one warning, the participating team will be ordered to leave;
3. This link will not be allowed. Extra time.

Need to send private messages to bloggers about the environment! ! !

Follow 鱼影安全the official account and focus on professional skills competition training and CTFknowledge sharing. Welcome everyone to pay attention and learn! !