2021 National vocational college skills competition （ Secondary vocational group ）

Network security competition questions

（2）

Environment can be obtained by private bloggers

（ Total score 100 branch ）

The title explains

One 、 Introduction to the competition

“ Network security ” The competition is divided into A. Infrastructure setting and security reinforcement ;B. Network security event response 、 Digital forensics investigation and application security ;C. CTF Flag capture - attack ;D. CTF Flag capture - Defense and other four modules . According to the actual situation of the game , The actual parameters used in the competition field 、 The expression and environment may be modified appropriately , The actual situation of the match is the basis . The competition schedule and score weight are shown in table 1.

surface 1  Competition schedule and score weight

Two 、 Competition considerations

1. It is forbidden to carry and use mobile storage devices during the competition 、 Calculator 、 Communication tools and references .

2. According to the competition environment provided by the competition , Check the listed hardware devices 、 Software inventory 、 Whether the material list is complete , Whether the computer equipment can be used normally .

3. Before doing anything , Please read all the tasks in each section . There may be some correlation between tasks .

4. In the process of operation, it is necessary to save relevant results in time according to the answer requirements . After the game , Keep all equipment running , The judgment is based on the final submitted results .

5. After the game , Competition equipment 、 Please keep the software and questions in your seat , All items used in the competition are prohibited （ Including test papers, etc ） Get off the court .

6. It is forbidden to fill in marks irrelevant to the competition on the submission , In case of violation of regulations , Can be regarded as 0 branch .

Competition content

modular A Infrastructure setting and security reinforcement

（ This module 20 branch ）

One 、 Project and task description ：

Suppose you are a network security engineer in an enterprise , For enterprise server system , Ensure the normal operation of all services according to the task requirements , And through the comprehensive use of login and password policies 、 Database security policy 、 Traffic integrity protection strategy 、 Event monitoring strategy 、 Firewall strategy and other security strategies to improve the network security defense ability of the server system . This module requires screenshots of specific tasks and corresponding text descriptions , With word Document writing , With PDF Format preservation , Take the match number as the file name .

Two 、 Server environment description

Windows  user name ：administrator, password ：123456

Linux    user name ：root, password ：123456

3、 ... and 、 Specific tasks （ The score of each task is subject to the electronic answer sheet ）

A-1 Task a Login security （Windows, Linux）

Please check the server Windows、Linux Make corresponding settings as required , Improve the security of the server .

1. Password policy （Windows）

a. Password must meet complexity requirements ;

b. The minimum password life is 10 God .

win+r Input secpol.msc> Account policy > Password policy modification

3. User security management (Windows)

a. Set to take ownership of files or other objects , Assign this permission only to administrators Group ;

win+r Input secpol.msc> The local policy > User permission assignment > Find and obtain the ownership of the file or other objects to modify

b. Prohibit ordinary users from using the command prompt ;

win+r Input gpedit.msc> User configuration > Manage templates > System > Enable block access to the command prompt

c. Set not to display the last logged in user name .

Win+r Input secpol.msc> The local policy > Security options > Modify interactive login : Don't show the last user name

A-2 Task 2 Local security policy settings （Windows）

4. It is required that the user name is not displayed when logging in ;

Win+r Input secpol.msc> The local policy > Security options > Modify interactive login : Don't show the last user name

5. Before the password expires 5 The day begins to prompt the user to change the password before expiration ;

6. Require any user to log in to Windows You must press... Before CTRL+ALT+DEL;

7. prohibit SAM Anonymous enumeration of accounts and shares ;

Win+r Input secpol.msc> The local policy > Security options > Enabling does not allow sam Anonymous enumeration of accounts for

8. Disable guest account .

Win+r Input secpol.msc> The local policy > Security options > Account : Guest account status is disabled

A-3 Task three Flow integrity protection （Linux）

9. Use openssl Apply for a certificate , Create a self-signed certificate server.crt And a private key server.key, It is required that only domain names are allowed to pass SSL Encrypted access .

stay httpd.conf Open the module in the The certificate of this question should be redirected later LoadModule ssl_module modules/mod_ssl.so LoadModule rewrite_module modules/mod_rewrite.so

A-4 Task 4 Event monitoring （Windows）

10. The security log file size must be at least 128MB, Set when the maximum log size is reached , Coverage earlier than 30 Day's diary .

Win+r Input eventvwr.msc>windows journal > Click security attribute to modify the log size   

A-5 Task five Service reinforcement SSHD\VSFTPD\IIS（Windows, Linux）

11.SSH Service reinforcement （Linux）

a. modify ssh The service port is 2222;

b.ssh prohibit ROOT User remote login .

vim /etc/ssh/ssh_config> Modify the specified content > Remove annotations > Restart the service

12.VSFTPD Service reinforcement （Linux）

a. The maximum transmission rate of user access is 1M;

vim /etc/vsftpd/vsftpd.conf Restart the service after modification

b. Same client IP Maximum number of client connections allowed by address 10.

13.IIS strengthening （Windows）

a. Turn on IIS Log audit records for ( The log file is saved in W3C, Only record the date 、 Time 、 client IP Address 、 user name 、 Method );

Management tools >iis Manager > Website > The log selection field adds the condition to be added

b. close IIS Of WebDAV Function to enhance the security of the website .

Management tools >iis Manager > Website > find webdav Authoring rules disable

A-6 Task six Firewall policy （Linux）

14. To prevent Nmap Scanning software detects critical information , Set up iptables Firewall strategy is right 3306 Port number for traffic processing ;

iptables -A INPUT -s 172.16.1.1 -p 3306 -j DROP

15. To prevent SSH Services are enumerated , Set up iptables Firewall policy only allows 172.16.10.0/24 Hosts in the network segment pass through SSH Connecting the machine ;

iptables -A INPUT -s 172.16.10.0/24 -p all -j ACCEPT

16. For defense IP Fragment attack , Set up iptables Firewall policy restrictions IP The number of fragments , Only processing per second is allowed 1000 individual ;

iptables -A FORWARD -f -m limit --limit 100/s --limit-burst 1000 -j ACCEPT

17. Allow this machine to open from TCP port 20-1024 Application services provided ;

iptables -A INPUT -p tcp --dport 20:1024 -j ACCEPT

iptables -A OUTPUT -p tcp --sport 20:1024 -j ACCEPT

18. Limit the local Web The service is not allowed to access on Monday .

iptables -A INPUT -d 127.0.0.1 -p tcp --dport 80 -m time ! --weekdays 1 -m limit --limit 100/second -m string --algo bm --from 62 ! --string "admin" -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT

iptables -A OUTPUT -s 127.0.0.1 -p tcp --sport 80 -j ACCEPT

modular B Network security event response 、 Digital forensics investigation and application security

（ This module 40 branch , Each subtask 4 branch ）

One 、 Project and task description ：

Suppose you are a member of a network security technical support team , The server system of an enterprise was attacked by hackers , Your team came to help the enterprise investigate and track the source of this cyber attack , Analyze the attack methods of hackers , Discover system vulnerabilities , Submit network security incident response report , Fix system vulnerabilities , Delete the back door created by the hacker in the system , And help the system return to normal operation .

Two 、 Server environment reference （ Subject to the actual competition title ）

operating system ：Windows/Linux

3、 ... and 、PC Machine environment reference （ Subject to the actual competition title ）

The physical machine ：Windows7 or Windows10;

virtual machine 1：Ubuntu Linux（ user name ：root; password ：123456）, Install toolset ：Backtrack5, Installation development environment ：Python3;

virtual machine 2：Kali1.0（ user name ：root; password ：123456）;

virtual machine 3：Kali2.0（ user name ：root; password ：123456）;

virtual machine 4：WindowsXP（ user name ：administrator; password ：123456）.

Four 、 Specific tasks

Mission statement ：Flag Format ：Flag｛Xxxx123｝, The contents in parentheses are used as Flag value , Submit Xxxx123 that will do

B-1 Task a ： Trace back to the source and collect evidence

( Equivalent to emergency response , You can learn more about emergency response , You can see web Structure , Easy to modify and delete , Reinforcement system , Eliminate malicious processes )

* Mission statement ： Only available Server1 Of IP Address

1. Hackers break into local servers through the network , stay Web There is a Trojan link on the home page of the server , Please find this link and delete it , The third word displayed in the title bar of the first row of the home page after deleting the link , As Flag Value submission ;

Enter the local server , Find the files in the home directory of the web site , Then click file modification to delete the Trojan link , Then access the modified source code and submit the requirements of the topic .

2. Hackers break into the database server of the local server , And added division admin A super user with administrator privileges other than , Please find this user and delete the user , Use this user's password as Flag Value submission ;

Use the super administrator user to enter the database , Use the database command to view the user and password , The password is unknown md5 encryption , Find the user and delete it

3. Hackers break into local servers , Multiple super users have been established on the local server , Please delete except Administrator Super administrator users other than users , Type... In the command line window net user, take Administrator The first word on the right is Flag Value submission ;

Flag：DefaultAccount

4. The hacker modified the startup content of the server , Please delete unnecessary startup content , Open the task manager “ start-up ” TAB bar , Take all the names in the name column as Flag Value submission ;（ Submission Form : name 1, name 2, name 3）

Win+r Input msconfig Click start to delete unnecessary start

5. The hacker stored a Trojan horse program somewhere on the server , Please find this trojan horse program and clear it . Open the task manager “ process ” TAB bar , Use the third word in the application name as Flag Value submission .

Open Task Manager , Click progress , Trojan programs generally occupy content and cpu It's big , Find the process that takes up more computer resources and delete it ,ctrl+shift+esc Open Task Manager

B-2 Task 2 ： Digital forensics

* Mission statement ： Only available Server2 Of IP Address

1. Hackers upload Trojans by uploading pages , Find the upload page , Upload the page file name as Flag Value submission ;

Filter http agreement Tracking flow

2. Find the corresponding Trojan back door , Use the Trojan file name as Flag Value submission ;

3. Trojan file view , Use the login password of the Trojan file as Flag Value submission ;

FLAG：[email protected]

4. Find the task plan created by the hacker in the task plan （ Mission planning with hazardous operations ）, The task plan is named Flag Value submission ;

Probably uploaded a Trojan horse file , Then the attacker can be connected

5. Find the execution program analysis code corresponding to the task plan and use the password as Flag Value submission .

Filter http agreement

Flag:password

B-3 Task three ： Penetration test

* Mission statement ： Only available Server3 Of IP Address

1. stay MSF In tools search The command to search MS12020 RDP Denial of service attack module , Take the vulnerability disclosure time in the echo result as Flag Value submission ;（ Such as ：2012-10-16）

Search ms12_020

2. stay MSF Call in tools MS12020 RDP Auxiliary scanning module for denial of Service Vulnerability , Call the command of this module as Flag Value submission ;

use auxiliary/scanner/rdp/ms12_020_check

3. Use set Command set target IP, And detect whether there are loopholes in the target , Run this module , Echo the penultimate result 2 The last word of the line as Flag Value submission ;

Check

4. stay MSF Invoke and run in the tool MS12020 RDP Denial of Service Vulnerability attack module , The last but one of the results will be echoed after running this module 1 The last word of the line as Flag Value submission ;

Call the attack module of denial of service vulnerability And then run

5. Enter the target and close the remote desktop service , Run again MS12020 RDP Denial of Service Vulnerability attack module , Run this module and echo the penultimate result 2 The last word of the line as Flag Value submission .

B-4 Task 4 ：Python The code analysis

* Mission statement ： Only available Server4 Of IP Address , Server4FTP Service user name ：user, password ：123456

1. perfect Flag4.py file , Fill in the blanks in this document Flag1 character string , And take the string as Flag Value submission ;

2. perfect Flag4.py file , Fill in the blanks in this document Flag2 character string , And take the string as Flag Value submission ;

3. perfect Flag4.py file , Fill in the blanks in this document Flag3 character string , And take the string as Flag Value submission ;

4. perfect Flag4.py file , Fill in the blanks in this document Flag4 character string , And take the string as Flag Value submission ;

5. Execute the completed script file , Take the echo content after successful execution as Flag Value submission .

B-5 Task five ： Steganography application

There is no fixed answer to this question , Need more ctf Miscellaneous exercises for , For example, common miscellaneous tools include hexdumo winhex string etc. , Miscellaneous common problems are picture steganography , Flow analysis, etc , Do more and practice more , Instead of beeping like me here

* Mission statement ：Server5 user name ：administrator, password ：123456

1. Find out the folder 16 Documents in , Use the hidden information in the file as Flag Value submission ;

2. Find out the folder 17 Documents in , Use the hidden information in the file as Flag Value submission ;

3. Find out the folder 18 Documents in , Use the hidden information in the file as Flag Value submission ;

4. Find out the folder 19 Documents in , Use the hidden information in the file as Flag Value submission ;

5. Find out the folder 20 Documents in , Use the hidden information in the file as Flag Value submission .

B-6 Task six ：Web Security applications

The main idea is to use nmap Scan what ports are open , Think about the loopholes

May be 80  445 Mainly enter windows In the system shell see php file

You can also inject... Through the web page , Learn more about web What loopholes exist, such as sql Let's learn about the directory structure of the website , For example, what special files will be generated .

* Mission statement ： Only available Server6 Of IP Address

1. adopt URL visit http:// Drone aircraft IP/6, Perform a penetration test on the page , find Flag6 As Flag Value submission ;

2. adopt URL visit http:// Drone aircraft IP/7, Perform a penetration test on the page , find Flag7 As Flag Value submission ;

3. adopt URL visit http:// Drone aircraft IP/8, Perform a penetration test on the page , find Flag8 As Flag Value submission ;

4. adopt URL visit http:// Drone aircraft IP/9, Perform a penetration test on the page , find Flag9 As Flag Value submission ;

5. adopt URL visit http:// Drone aircraft IP/10, Perform a penetration test on the page , find Flag10 As Flag Value submission .

B-7 Task seven ：Windows System security

Since there is no specific environment, the above is speculation

1. use ms17_010

 2.mssql Blast , Then carry out system operation , Reuse ms14_064, You can also upload a Trojan horse

3 cve-2017-7269 Reuse ms14_064 etc. The next step is to raise the right

There are many examples that will not be listed one by one

* Mission statement ： Only available Server7 Of IP Address

1. Via local PC Medium penetration test platform Kali For the server scenario Server7 Conduct system service and version scanning penetration test , And display the operation in the result 80 The service status information string corresponding to the port is used as Flag Value submission ;

nmap -sV -n ip

2. Find network adapter information , Will be preferred DNS Server address as Flag Value submission ;1.ipconfil /all 2. .Nslookup

3. find Flag5 As Flag Value submission ;

1. Find the desired folder path , And then in meterpreter in download

2. The remote connection found the file to find

4. find Flag6 As Flag Value submission ;

1. Find the desired folder path , And then in meterpreter in download

2. The remote connection found the file to find

5. Take the password of the administrator account with the highest authority of the system as Flag Value submission .

1.hashdump

2.load mimikatz

wdigest

3.kerberos

B-8 Task eight ：Linux System security

1. Use vsftpd2.3.4 Loophole , then nc 6200 Connect to get the file
2. Mysql In a word, Trojans etc.

* Mission statement ： Only available Server8 Of IP Address

1. Via local PC Medium penetration test platform Kali For the server scenario Server8 Conduct system service and version scanning penetration test , And display the operation in the result 80 The service version information string corresponding to the port is used as Flag Value submission ;

First of all 80 Port scan , Then scan the back door

Nmap -sV ip

2. find /var/www Picture files in the directory , Use file name as Flag Value submission ;

First of all, the authority should be large You can enter the folder and view the file suffix

1. find Flag7 As Flag Value submission ;

After entering, you should empower the file and then put it in the website directory to view

1. find Flag8 As Flag Value submission ;

After entering, you should empower the file and then put it in the website directory to view

5. find Flag9 As Flag Value submission .

After entering, you should empower the file and then put it in the website directory to view

B-9 Task nine ： out of buffer

* Mission statement ： Only available Server9 Of IP Address ,Server9 FTP Service user name ：admin, password ：123456

1. From the target server scenario FTP Download files from the server BO4.py, Edit this Python Program files , Make the program realize Server9 The function of buffer overflow penetration test , Fill in the blanks in this document F1 character string , Take this string as Flag Value submission ;

2. Continue editing named BO4.py Of Python Program files , Make the program realize Server9 The function of buffer overflow penetration test , Fill in the blanks in this document F2 character string , Take this string as Flag Value submission ;

3. Continue editing named BO4.py Of Python Program files , Make the program realize Server9 The function of buffer overflow penetration test , Fill in the blanks in this document F3 character string , Take this string as Flag Value submission ;

4. Continue editing named BO4.py Of Python Program files , Make the program realize Server9 The function of buffer overflow penetration test , Fill in the blanks in this document F4 character string , Take this string as Flag Value submission ;

5. Continue editing named BO4.py Of Python Program files , Make the program realize Server9 The function of buffer overflow penetration test , Find... After successful penetration Server9 Documents in the recycle bin , Use document content as Flag Value submission .

B-10 Task ten ： Remote code execution

* Mission statement ： Only available Server10 Of IP Address ,Server10 FTP Service user name ：admin, password ：123456

1. From the target server scenario FTP Download files from the server RCE4.py, Edit this Python Program files , Make the program realize Server10 The function of remote code execution penetration test , Fill in the blanks in this document F1 character string , Take this string as Flag Value submission ;

2. Continue editing named RCE4.py Of Python Program files , Make the program realize Server10 The function of remote code execution penetration test , Fill in the blanks in this document F2 character string , Take this string as Flag Value submission ;

3. Continue editing named RCE4.py Of Python Program files , Make the program realize Server10 The function of remote code execution penetration test , Fill in the blanks in this document F3 character string , Take this string as Flag Value submission ;

4. Continue editing named RCE4.py Of Python Program files , Make the program realize Server10 The function of remote code execution penetration test , Fill in the blanks in this document F4 character string , Take this string as Flag Value submission ;

5. Continue editing named RCE4.py Of Python Program files , Make the program realize Server10 Function of remote code execution test , Find... After successful penetration Server10 Documents on the desktop , Use document content as Flag Value submission .

modular C  CTF Flag capture - attack

The first thing to know is this ip Find out for yourself , During the competition, you will be prompted with the information of your target plane , You need to find your own target and reinforce it , Looking for a target plane is probably from many network segments , so much trouble , This year may c Modules may put vsftpd2.3.4 As the main objective , So write this script, you know

（ This module 20 branch ）

One 、 Project and task description ：

Suppose you are a network security penetration test engineer in an enterprise , Be responsible for the security protection of some servers in the enterprise , In order to better find various problems and vulnerabilities that may exist in the enterprise network . You try to use all kinds of attacks , Attack a specific target , In order to understand the latest attack methods and technologies , Understand the mentality of network hackers , To improve your defense strategy .

Please according to 《 Field parameter table 》 Information provided , Log in to the attacker using Google browser on the client .

Two 、 Operating system environment description ：

Client operating system ：Windows 10

Attacker operating system ：Kali Linux

Target server operating system ：Linux/Windows

3、 ... and 、 Vulnerability description ：

1. The vulnerability in the server may be a conventional vulnerability or a system vulnerability ;

2. The website on the target server may have a vulnerability of command injection , Ask contestants to find vulnerabilities related to command injection , Exploit this vulnerability to obtain certain permissions ;

3. There may be a file upload vulnerability on the website on the target server , Ask the contestants to find the loopholes related to file upload , Exploit this vulnerability to obtain certain permissions ;

4. There may be a File Inclusion Vulnerability in the website on the target server , Ask the contestant to find the relevant vulnerabilities contained in the file , Combine with other vulnerabilities to obtain certain permissions and raise rights ;

5. The services provided by the operating system may contain vulnerabilities in remote code execution , Ask the user to find the service for remote code execution , And use this vulnerability to obtain system permissions ;

6. The service provided by the operating system may contain a buffer overflow vulnerability , Services that require users to find buffer overflow vulnerabilities , And use this vulnerability to obtain system permissions ;

7. There may be some system backdoors in the operating system , Players can find this back door , And use the reserved back door to directly obtain the system permission .

Four 、 matters needing attention ：

1. Cannot attack the referee server , If the attack continues after one warning, the team will be ordered to leave the field ;

2.Flag The value is the unique identification of each target server , Each target server has only 1 individual ;

3. After entering the target, the competitor shall not close the target 、 Change Password 、 Restart or shut down the target 、 Delete or modify Flag、 Create unnecessary files and other operations ;

4. After logging into the automatic scoring system , Submit to the target server Flag value , At the same time, you need to specify the target server IP Address ;

5. There are target planes with different basic scores according to the difficulty in the field , For each target server , The first three get Flag The value team will add points to the basic points , The total score of each team in this stage is included in the stage score , The specific scoring rules refer to the scoring standard of the field ;

6. There is no supplementary time for this link .

modular D  CTF Flag capture - defense

Save your reinforcement results and written instructions to a text document

（ This module 20 branch ）

One 、 Project and task description ：

Suppose you are a network security engineer of a security enterprise , Responsible for penetration test and security protection of several servers , These servers may have various problems and vulnerabilities . You need to perform penetration testing and security protection on these servers as soon as possible . Each team has its own fortress server , Other teams cannot visit . Contestants scan 、 Penetration test and other means to detect the security defects in your fortress server , Carry out targeted reinforcement , So as to improve the security and defense performance of the system .

Please according to 《 Field parameter table 》 Information provided , Use Google browser on the client to log in to the fortress server that needs to be reinforced .

Two 、 Operating system environment description ：

Client operating system ：Windows 10

Attacker operating system ：Kali Linux

Fortress server operating system ：Linux/Windows

3、 ... and 、 Vulnerability description ：

1. The vulnerability in the fortress server may be a conventional vulnerability or a system vulnerability ;

2. The website on the fortress server may have a vulnerability of command injection , Ask contestants to find vulnerabilities related to command injection , Exploit this vulnerability to obtain certain permissions ;

3. There may be a file upload vulnerability on the website on the fortress server , Ask the contestants to find the loopholes related to file upload , Exploit this vulnerability to obtain certain permissions ;

4. There may be a File Inclusion Vulnerability in the website on the fortress server , Ask the contestant to find the relevant vulnerabilities contained in the file , Combine with other vulnerabilities to obtain certain permissions and raise rights ;

5. The services provided by the operating system may contain vulnerabilities in remote code execution , Ask the user to find the service for remote code execution , And use this vulnerability to obtain system permissions ;

6. The service provided by the operating system may contain a buffer overflow vulnerability , Services that require users to find buffer overflow vulnerabilities , And use this vulnerability to obtain system permissions ;

7. There may be some system backdoors in the operating system , Players can find this back door , And use the reserved back door to directly obtain the system permission .

Four 、 matters needing attention ：

1. Each player needs a screenshot of the reinforcement point and reinforcement process , And make its own system defense implementation report , The final score shall be subject to the implementation report ;

2. When strengthening the system, it is necessary to ensure the availability of services provided by the fortress server ;

3. Cannot attack the referee server , If the attack continues after one warning, the team will be ordered to leave the field ;

4. There is no supplementary time for this link .