2016 cyber security and defense match record

650) this.width=650; "Src=" http://img8.wtoutiao.com/?url=http://mmbiz.qpic.cn/mmbiz/ C5lukt6c31pdfsv4vrd8gyticbou8fkzc6uoxa38w4pibalgfpejicb4fvxppwgvf7ja3pg7pta8xicta6ibdiqawfw/0?wx_fmt=jpeg " Title= "2016 cyber security game record" alt= "2016 cyber security game record" style= "margin:0px;padding:0px;"/>

Playing a day of competition, originally felt a lot, but I do not know from where to start, many games when the experience is difficult to use words to express it, the use of the form of journal Simple say this game it.

2016CNcert Network Annual Meeting &2016 Network security Tournament is hosted by the National Internet Emergency Center,

The game mode for the offline attack and defense, through the Cncert primaries a total of 39 teams in Chengdu to participate in the offline finals.

The game was a total of rounds

Every 20 minutes to refresh a wave of flag, each submission opponent a flag 5 points, by the opponent submitted a flag lost 10 points, each team FLAG20 minutes can only be submitted once,

The topology diagram is as follows: 650) this.width=650; "Src=" http://img6.wtoutiao.com/?url=http://mmbiz.qpic.cn/mmbiz/ C5lukt6c31pdfsv4vrd8gyticbou8fkzchgcw84ib5plbnhner2wjbjcr3dtxicxdc5pkekfz3opap9yukzwo22na/0?wx_fmt=jpeg "style= "margin:0px;padding:0px;" alt= "0?wx_fmt=jpeg"/>

First round 9:00--10:00

Vulnerability: (title source above the cloud disk, the last attached)

web1:webftp (mongoadmin remote command execution)

exp:$ Curl "Http://localhost/moadmin.php?collection=1"-D "Object=1;phpinfo (); exit"(http://bobao.360.cn/ learning/detail/274.html)

Web2:joomla (Command execution)

9 o'clock in the morning the match began to find 1801 port for Webftp 1802 for Joomla We three quickly did a division of labor, Jack to defend the layout of the monitoring code for real-time defense, defense, just beginning to layout php pin this newspaper error, prompt no write permission, code monitoring automatic deletion function also has problems. After the change to get on track, I and Guangauan to do a dot, exploit the vulnerability analysis, just 5 minutes, we found that there is a team to attack and write to the shell, we got the shell, we want to use script automation to submit flag, However, it is found that there is a limit of 20 flag requests to the platform within one minute of the rules of the game (as if a strong team automatically submitted flag was blocked for a period of time by the platform to submit flag), and Guanguan and I began a batch inspection of the shell, Get flag, manual flag submission, The first round of a total of four flag refreshes, through the shell "reverse" Jack provided the address and me and Guanguan to get the shell, the first round after the end of our team around the 8th (specifically 7, 8, 9 forget ~), and then finish the game analysis source, Found there is still a word of the pony, do not know whether the official left the back door.

Second round 10:10--12:00

Loopholes:

Web3:webftp Weak password (admin admin) + ultra vires vulnerability + Write Shell

Web4:joomla Weak password (admin admin888)

The second round is the 10:10--12:00 organizer re-replaced the port and target drone CMS, at first we thought it was a new CMS, when we opened the target drone address, found that the Webftp&joomla interface, but not the first round of command execution vulnerability, The first time we think of the possibility of a weak password Vulnerability (2015 Network security attack game in a weak password problem), Jack and I in the crazy test, management, teammate Jack said our CMS was implanted pony, (Jack wrote a real-time monitoring CMS script), Then we made the modification of the source code to strengthen the operation, as I and Guanguan crazy to submit the flag, Jack real-time monitoring of the defensive machine, with the devil's pace, the second round half of the time our team has risen to the fourth place, but there is an ignorant thing, The organizers of the platform buckle US 600 points (unknown details, hide. ）

Third round 12:30--17:00

Web5:bak file +phpmyadmin password (config file found root password) + background write writable directory write shell

Web6:joomla (No analysis)

PWN1: Command Execution (ua:2135gfts cert:shell command)

Pwn2:doublefree Vulnerability

Noon half an hour after the break immediately began the tense third round, this round to two web topics and two exploits, the afternoon contest appeared a large fluctuation, some teams to use the rights to delete the game title, fork bombs operation, and later appeared abnormal, various directories were deleted. The PHP environment is not working, and Jack has written a bash. Automatic uploading of web topics, but there are a variety of exceptions at startup. Later know that is a strong team through the WEB3 to get permission to overflow, the other team account permissions have been modified, (user symbol into ~, was playing bad), greatly increased the challenge of attack and defense competition, to the third round of the middle of the time, we made the PWN topic, local testing and use of success, However, when attacking, it is not possible to return to their shell, it should be some team attack successfully after the vulnerability code has been modified.

The above records a bit of journal, make a summary of it:

1. The topic of the offline attack and defense game should be made quickly, and as far as possible to get access to the bulk, the time speed determines whether you occupy the initiative.

2. In the game must be good defense, as far as possible a teammate to monitor the local defense machine, and according to the vulnerability of the CMS to protect.

3. In the late stages of the game, carefully check whether the defensive machine is rebound shell, the execution of scheduled tasks,

4. In the game you can choose to fork the bomb, such as "Stir excrement" operation, but this operation as far as possible not to use.

5. Prepare various automation scripts, such as common CMS vulnerability exp, bulk get shell automation scripts, etc. before the game starts.

6. The Find PS kill ssh command in the game may help you better.

Competition Web Source download: HTTP://PAN.BAIDU.COM/S/1KV3YDMV Extract password: Inn0team

PWN the source of the game is no longer uploaded, there is a need to contact me

Writing is not good, do not know what to expand the CTF knowledge, we are interested in which areas please reply to the message, I will be based on everyone's problems in the targeted introduction.

This article is from the "Hu Jubo" blog, make sure to keep this source http://hufubo.blog.51cto.com/7662396/1829017

2016 cyber security and defense match record