talk about awd attack and defense process and preparation experience

Posted by punzalan at 2020-04-05


AWD (attack with defense) mode is a very interesting mode. You need to play the attacker and the defender in a game. The attacker will score and the loser will be deducted. That is to say, when you can get the flag score by attacking other people's target machine, other people will be deducted. At the same time, you should protect your host from being scored by other people to prevent points being deducted.

For the first time, the students who have never been in touch with this mode are likely to be confused. Recently, I also played a small AWD to introduce the general process and preparation of AWD. Because I am responsible for web more, so this article will not involve binary aspects, mainly from the direction of web.

AWD process

1. The author will deploy one or more hosts of the same environment to each team.

2. After getting the machine, each team will have a certain reinforcement time or no reinforcement time, which depends on the rules.

3. There may be flag fields on each service, database and host, and they will be refreshed regularly. After getting the flag through the attack, it needs to be submitted to the referee for scoring. Generally, the specified submission interface will be provided. After the next round of refresh, if the vulnerability still exists, you can continue to use the vulnerability to obtain the flag for scoring.

Generally speaking, if the attack and defense time is relatively short, only the penetration of web and database and the utilization of existing loopholes will be examined; if the time is long, it is likely to need to do intranet penetration. Because this is a relatively deep one, this article will not talk about it for the time being (because I am not very good at it myself).

Generally, a team consists of three people. Responsible for two aspects: one is responsible for defense reinforcement, baseline, WAF, traffic playback and so on. On the one hand, it is responsible for source code audit, writing attack scripts, maintaining permissions and continuous penetration. The specific arrangement depends on the capabilities of the three people.

Attack process

In AWD, the Web attack process is generally divided into four steps: information collection, attack port, attack web service, and permission maintenance. As long as you can score quickly, you don't have to follow these four steps.

information gathering

The first step is to detect the host. Use tools such as nmap or httpscan to scan the intranet survival hosts given by the host to understand the network topology. It will be much easier if the host is given the scope.

The second step is to probe the port. Because all the machines given by the organizer are the same, it's OK to directly see what port you open. If it is not the same, use nmap to scan the common ports. Attack the common ports first, then put them in the background to scan the full ports, and then add the new ports to the attack queue.

The third step is to probe the port service. In general, the port service can be scanned with nmap, and the vulnerability can be scanned with nmap script. However, it is necessary to pay attention to the relevant parameters of nmap, which should be flexibly used according to the situation.

A simple information collection is completed. Besides nmap, you can use familiar tools, such as MSF, to facilitate subsequent penetration.

Port attack

Because AWD needs to be fast, the port usually has weak password, such as the common 22, 3389, 1443, 3306 and other host login and database ports.

I've played in a provincial game and that's what happened. The organizer only gives the IP address of the team machine, gives the user name, needs to enter the machine by itself, and changes the password. If your hand is slow at this time and the blasting script is not ready, your machine will fall into the hands of others. At that time, we were so slow that we could only watch others take our machines and lose points in one round

Web attack

Most of the web languages are PHP, and a small part are Java and python. The web environment here is divided into two situations, one is the framework with existing vulnerabilities, the other is the framework written by the author.

If it is a framework with existing vulnerabilities, it is usually obvious. For example, various vulnerabilities of struts 2 can be found by tool scanning. This needs to be well prepared. The exp library, vulnerability library and various scanning tool libraries should be prepared in the computer so as to quickly exploit the obvious vulnerabilities. All in all, quick hands!

If it is the framework of the author, the common and simple and effective way is to download the whole site source code and audit it directly with tools. For example, in PHP, the general process is to check and kill the D shield first. It is found that there is a reserved back door or webshell horse that is reported to the defensive team-mates for reinforcement.

After the problem of the back door is solved to prevent others from getting points quickly, the next step is source code audit. After finding the problem point, verify it quickly, report it to the defensive team-mates, and start to write attack scripts. Taking PHP as an example, we usually use the source audit tools such as Seay to audit the obvious vulnerabilities.

After the tool scanning, start the regular penetration test, such as file upload, SQL injection, etc., to see if it can be bypassed, find a point and write the utilization script immediately.

Maintenance of authority

What can I do after I get the webshell?

Of course, we need to maintain the authority! The simple webshell can see the good harvest at a glance. In AWD, we give priority to the undead horse and rebound shell, and use the general way of leaving a back door for Trojans to maintain permissions, so as to brush the flag later and then consider improving permissions. Some students don't know what "immortal horse" is. Explain that the main function of "immortal horse" is to generate a shell file in the path after execution, which is used to connect with kitchen knife and other tools. It is a way to maintain permissions.

Small trick: use similar statements like 'find / - name * flag *' or 'grep RN "flag" *' to quickly find out where the flag is, so as to facilitate the subsequent scoring.

Defense process

To put it simply, defensive team-mates do the following things according to priority:

1. Top priority: backup the website source code and database. This function has two functions: first, to prevent yourself from being unable to recover after changing the source code or database of the website by magic; second, the referee will check whether the service is normal at regular intervals; if not, points will be deducted; therefore, the backup can also prevent the adversary from intruding into the host and quickly recovering the service after deleting the source code.

2. System safety inspection. Whether the port 3306 that should not be opened is open, whether SSH login is restricted, whether SSH password is modified, whether MySQL is the default password, and so on. Here you can swipe it with a script.

3. Deploy WAF. Use the WAF prepared in advance and use scripts for rapid deployment, but be aware that the service will not be available after the deployment.

4. Modify authority. For example, MySQL user read table permission, upload directory executable permission and so on.

5. Deploy file monitoring script. Monitor whether the directory with read-write permission adds or deletes files and prompt. Here, if a horse is planted, there are usually several ways to restrain it:

Force kill process and restart service

Create a file or directory with the same name as the immortal horse

Write script to delete files continuously

Keep writing a file with the same name as the immortal horse

6. Deploy traffic monitoring script or turn on server logging. The main purpose is to play back the traffic, see how other tycoons use the loopholes we don't find to hit our machine, and then play back the traffic that we don't understand to other machines directly after grabbing it. It should also be mentioned here that when we attack ourselves, we should also try to confuse our attack traffic, which can't be easily used by others.


I have said so much. Let's summarize. Before the attack and defense competition of AWD, we need to prepare:

1. Various software packages, such as python, curl and so on, in case the machine is not embarrassed

2. A large number of exp libraries and vulnerability libraries, which can put a dark virtual machine for backup

3. Script of reinforcement and baseline inspection

4. WAF code and deployment script

5. AWD special basic code or small framework for batch web shell, batch flag and batch permission maintenance

I hope I can organize a script set and integrate it into a framework in the future, so it will be very comfortable to play AWD~

In addition, some of the resources I collected while writing and preparing for AWD are as follows:

GitHub resources:

- ( A kind of 235) AWD attack and defense script set: < >

- ( A kind of 124) Attack-Defense-Framework: <>

- ( A kind of 99) AWD attack and defense game webshell batch utilization framework: < >

- ( A kind of 28) awd-frame: <>

- ( A kind of 4) WEB-AWD-Framework:<>

- ( A kind of 0) AWD-helper: <>

AWD experience:

-Survival skills in AWD mode of CTF offline race: < >

-Summary of AWD routine of offline CTF competition: < >

-AWD melee strategy: < >

-Preparation and starting mode of offline AWD attack and defense mode of CTF: < >

-2017 strong network cup offline AWD attack and defense summary (for novices): < HTML >

-AWD offensive and defensive offline survival way: [ offensive and defensive offline survival way. HTML] ( E6% 94% BB% E9% 98% B2% E7% Ba% BF% E4% B8% 8b% E7% 94% 9F% E5% ad% 98% E4% B9% 8b% E9% 81% 93. HTML)

-CTF AWD attack and defense note: < >

Authority maintenance:

-Deletion of immortal horse: < >

-Kill immortal horse of AWD attack and defense: < >

-Post penetration in Python can also be used for AWD attack and defense shell Management: < >

-From 0 to 1 to master the RSA of AWD attack and defense: < >

-Senior Daniel teaches you how to maintain the web-side authority (specific steps are attached): [ \ ] (

*Author of this article: lin3ver5ec, this article belongs to freebuf original award program, and is not allowed to be reproduced without permission.