Agent Skillszhaoxuya520/reverse-skill › competition-cloud-metadata-path

competition-cloud-metadata-path

GitHub

CTF沙箱下游技能,用于分析云元数据到特权的信任链。在沙箱建立后,识别元数据访问路径、凭证签发及特权接受过程,复现最小化攻击链以证明漏洞。

CTF-Sandbox-Orchestrator/competition-cloud-metadata-path/SKILL.md zhaoxuya520/reverse-skill

Trigger Scenarios

用户询问如何从元数据派生出的凭证转换为接受的云或控制平面权限 需要检查元数据服务访问、实例凭证、工作负载身份或SSRF到元数据升级的路径

Install

npx skills add zhaoxuya520/reverse-skill --skill competition-cloud-metadata-path -g -y
More Options

Non-standard path

npx skills add https://github.com/zhaoxuya520/reverse-skill/tree/main/CTF-Sandbox-Orchestrator/competition-cloud-metadata-path -g -y

Use without installing

npx skills use zhaoxuya520/reverse-skill@competition-cloud-metadata-path

指定 Agent (Claude Code)

npx skills add zhaoxuya520/reverse-skill --skill competition-cloud-metadata-path -a claude-code -g -y

安装 repo 全部 skill

npx skills add zhaoxuya520/reverse-skill --all -g -y

预览 repo 内 skill

npx skills add zhaoxuya520/reverse-skill --list

SKILL.md

Frontmatter
{
    "name": "competition-cloud-metadata-path",
    "description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for cloud metadata services, instance identity, workload identity, link-local credential paths, role assumption, and metadata-to-privilege trust edges. Use when the user asks to inspect metadata-service access, instance credentials, pod or workload identity, link-local token paths, SSRF-to-metadata escalation, or explain how metadata-derived credentials turn into accepted cloud or control-plane privilege. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}

Competition Cloud Metadata Path

Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.

Use this skill when the decisive edge is not just reaching metadata, but proving how metadata-derived identity becomes accepted privilege.

Reply in Simplified Chinese unless the user explicitly requests English.

Quick Start

  1. Identify which metadata surface is active: instance metadata, workload identity, node identity, task role, or platform-specific token endpoint.
  2. Record the exact reachability path: local process, pod, container, proxy, SSRF surface, or host route.
  3. Separate metadata reachability from credential issuance and from downstream privilege acceptance.
  4. Keep token format, role identity, scope, and accepting API in compact evidence blocks.
  5. Reproduce the smallest metadata-to-accepted-privilege path that proves the challenge edge.

Workflow

1. Map Metadata Reachability

  • Record the metadata endpoint, required headers, hop limits, session tokens, workload selectors, or path prefixes.
  • Note whether access comes from direct local calls, pod networking, SSRF, sidecar, or host-level routing.
  • Keep the reaching surface and the metadata endpoint in one chain.

2. Prove Credential Or Identity Issuance

  • Show how the metadata response becomes a token, temporary credential, signed identity doc, or platform-specific workload identity.
  • Record expiration, role name, subject, audience, issuer, or cloud account mapping that matters downstream.
  • Distinguish raw metadata from usable credential material.

3. Reduce To The Decisive Trust Path

  • Compress the result to the smallest sequence: reaching surface -> metadata call -> credential issued -> accepted cloud or cluster action.
  • State clearly whether the weakness lives in reachability, metadata config, role trust, downstream policy, or workload binding.
  • If the challenge narrows to RBAC or cluster mutation after credential issuance, switch back to the tighter control-plane skill.

Read This Reference

  • Load references/cloud-metadata-path.md for the reachability checklist, token checklist, and evidence packaging.
  • If the hard part is first proving a server-side fetch primitive, SSRF reachability, or internal endpoint traversal before metadata itself, prefer $competition-ssrf-metadata-pivot.

What To Preserve

  • Metadata endpoints, required headers, reachability path, issued tokens or creds, and accepted APIs
  • Role names, audiences, issuers, account bindings, and privilege-bearing actions
  • The smallest replayable metadata-to-privilege chain

Version History

  • 1bec1f2 Current 2026-07-05 18:44

Same Skill Collection

CTF-Sandbox-Orchestrator/competition-crypto-mobile/SKILL.md
CTF-Sandbox-Orchestrator/competition-reverse-pwn/SKILL.md
CTF-Sandbox-Orchestrator/competition-stego-media/SKILL.md
CTF-Sandbox-Orchestrator/competition-web-runtime/SKILL.md
CTF-Sandbox-Orchestrator/ctf-sandbox-orchestrator/SKILL.md
skills/apk-reverse/SKILL.md
skills/binary-diff/SKILL.md
skills/browser-automation/SKILL.md
skills/docs-generator/SKILL.md
skills/dotnet-reverse/SKILL.md
skills/firmware-pentest/SKILL.md
skills/js-reverse/SKILL.md
skills/patch-diff-exploit/SKILL.md
skills/pentest-tools/SKILL.md
skills/pentest-tools/src-hunter/SKILL.md
skills/pwn-chain/SKILL.md
skills/radare2/SKILL.md
CTF-Sandbox-Orchestrator/competition-ad-certificate-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-agent-cloud/SKILL.md
CTF-Sandbox-Orchestrator/competition-android-hooking/SKILL.md
CTF-Sandbox-Orchestrator/competition-browser-persistence/SKILL.md
CTF-Sandbox-Orchestrator/competition-bundle-sourcemap-recovery/SKILL.md
CTF-Sandbox-Orchestrator/competition-container-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-custom-protocol-replay/SKILL.md
CTF-Sandbox-Orchestrator/competition-dpapi-credential-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-file-parser-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-firmware-layout/SKILL.md
CTF-Sandbox-Orchestrator/competition-forensic-timeline/SKILL.md
CTF-Sandbox-Orchestrator/competition-graphql-rpc-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-identity-windows/SKILL.md
CTF-Sandbox-Orchestrator/competition-ios-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-jwt-claim-confusion/SKILL.md
CTF-Sandbox-Orchestrator/competition-k8s-control-plane/SKILL.md
CTF-Sandbox-Orchestrator/competition-kerberos-delegation/SKILL.md
CTF-Sandbox-Orchestrator/competition-kernel-container-escape/SKILL.md
CTF-Sandbox-Orchestrator/competition-linux-credential-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-lsass-ticket-material/SKILL.md
CTF-Sandbox-Orchestrator/competition-mailbox-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-malware-config/SKILL.md
CTF-Sandbox-Orchestrator/competition-oauth-oidc-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-pcap-protocol/SKILL.md
CTF-Sandbox-Orchestrator/competition-prompt-injection/SKILL.md
CTF-Sandbox-Orchestrator/competition-queue-worker-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-race-condition-state-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-relay-coercion-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-request-normalization-smuggling/SKILL.md
CTF-Sandbox-Orchestrator/competition-runtime-routing/SKILL.md
CTF-Sandbox-Orchestrator/competition-ssrf-metadata-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-supply-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-template-render-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-websocket-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-windows-pivot/SKILL.md
skills/diagram-generator/SKILL.md
skills/edr-bypass-re/SKILL.md
skills/ida-reverse/SKILL.md
skills/reverse-engineering/SKILL.md

Metadata

Files
0
Version
1bec1f2
Hash
5f15e808
Indexed
2026-07-05 18:44

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 23:24
浙ICP备14020137号-1 $Гость$