Agent Skillszhaoxuya520/reverse-skill › competition-dpapi-credential-chain

competition-dpapi-credential-chain

GitHub

用于CTF沙箱中分析DPAPI凭证链的下游技能。协助定位受保护Blob、主密钥及解密上下文,追踪从明文恢复至目标服务接受访问的完整链条,验证Windows秘密的最终利用路径。

CTF-Sandbox-Orchestrator/competition-dpapi-credential-chain/SKILL.md zhaoxuya520/reverse-skill

Trigger Scenarios

用户要求检查DPAPI Blob或主密钥 需要恢复浏览器或凭据管理器的密码 分析受保护的Windows秘密如何被接受为访问权限 追踪DPAPI上下文或域备份密钥的使用情况

Install

npx skills add zhaoxuya520/reverse-skill --skill competition-dpapi-credential-chain -g -y
More Options

Non-standard path

npx skills add https://github.com/zhaoxuya520/reverse-skill/tree/main/CTF-Sandbox-Orchestrator/competition-dpapi-credential-chain -g -y

Use without installing

npx skills use zhaoxuya520/reverse-skill@competition-dpapi-credential-chain

指定 Agent (Claude Code)

npx skills add zhaoxuya520/reverse-skill --skill competition-dpapi-credential-chain -a claude-code -g -y

安装 repo 全部 skill

npx skills add zhaoxuya520/reverse-skill --all -g -y

预览 repo 内 skill

npx skills add zhaoxuya520/reverse-skill --list

SKILL.md

Frontmatter
{
    "name": "competition-dpapi-credential-chain",
    "description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for DPAPI masterkeys, vault blobs, browser credential stores, protected secrets, domain backup keys, and secret-to-acceptance replay chains. Use when the user asks to inspect DPAPI blobs or masterkeys, recover browser or vault credentials, trace DPAPI context or backup-key use, or explain how protected Windows secrets become accepted access or privilege. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}

Competition Dpapi Credential Chain

Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.

Use this skill when the decisive Windows secret is DPAPI-protected and the hard part is proving which context unwraps it and where the plaintext is accepted.

Reply in Simplified Chinese unless the user explicitly requests English.

Quick Start

  1. Separate protected blob, masterkey, decrypting context, and final accepting service.
  2. Record SID, user or machine context, masterkey path, vault or browser store, and target replay point before broad conclusions.
  3. Keep DPAPI source artifact, unwrap step, plaintext secret, and acceptance edge in one chain.
  4. Distinguish local user DPAPI, machine DPAPI, domain backup key use, and application-specific wrapping.
  5. Reproduce the smallest DPAPI-to-accepted-access path that proves the decisive edge.

Workflow

1. Map Protected Secret And DPAPI Context

  • Record blob source, masterkey location, SID, protector scope, profile path, credential store, and any application wrapper such as browser encryption or vault metadata.
  • Note whether the decisive value lives in Credential Manager, Vault, browser cookies, browser passwords, Wi-Fi profiles, RDP files, or custom app storage.
  • Keep protected artifact, masterkey candidate, and account or machine context tied together.

2. Prove Unwrap And Acceptance

  • Show how the secret is decrypted: user logon material, machine context, domain backup key, or another recovered protector.
  • Record plaintext type, target host or service, replay method, and resulting session, token, or data access.
  • Distinguish successful blob decryption from actual accepted access.

3. Reduce To The Decisive DPAPI Chain

  • Compress the result to the smallest sequence: protected artifact -> masterkey or unwrap context -> plaintext secret -> accepted replay or access -> resulting capability.
  • State clearly whether the decisive edge lives in masterkey recovery, DPAPI scope confusion, application wrapper handling, or the service that accepts the recovered secret.
  • If the task broadens into generic LSASS ticket material or full Windows pivoting, hand back to the tighter host or pivot skill.

Read This Reference

  • Load references/dpapi-credential-chain.md for the blob checklist, masterkey checklist, and evidence packaging.

What To Preserve

  • Blob paths, masterkey paths, SIDs, protector scope, store names, and application wrapper details
  • The exact accepting service or dataset unlocked by the recovered plaintext
  • One minimal protected-artifact-to-accepted-access sequence that proves the edge

Version History

  • 1bec1f2 Current 2026-07-05 18:44

Same Skill Collection

CTF-Sandbox-Orchestrator/competition-crypto-mobile/SKILL.md
CTF-Sandbox-Orchestrator/competition-reverse-pwn/SKILL.md
CTF-Sandbox-Orchestrator/competition-stego-media/SKILL.md
CTF-Sandbox-Orchestrator/competition-web-runtime/SKILL.md
CTF-Sandbox-Orchestrator/ctf-sandbox-orchestrator/SKILL.md
skills/apk-reverse/SKILL.md
skills/binary-diff/SKILL.md
skills/browser-automation/SKILL.md
skills/docs-generator/SKILL.md
skills/dotnet-reverse/SKILL.md
skills/firmware-pentest/SKILL.md
skills/js-reverse/SKILL.md
skills/patch-diff-exploit/SKILL.md
skills/pentest-tools/SKILL.md
skills/pentest-tools/src-hunter/SKILL.md
skills/pwn-chain/SKILL.md
skills/radare2/SKILL.md
CTF-Sandbox-Orchestrator/competition-ad-certificate-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-agent-cloud/SKILL.md
CTF-Sandbox-Orchestrator/competition-android-hooking/SKILL.md
CTF-Sandbox-Orchestrator/competition-browser-persistence/SKILL.md
CTF-Sandbox-Orchestrator/competition-bundle-sourcemap-recovery/SKILL.md
CTF-Sandbox-Orchestrator/competition-cloud-metadata-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-container-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-custom-protocol-replay/SKILL.md
CTF-Sandbox-Orchestrator/competition-file-parser-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-firmware-layout/SKILL.md
CTF-Sandbox-Orchestrator/competition-forensic-timeline/SKILL.md
CTF-Sandbox-Orchestrator/competition-graphql-rpc-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-identity-windows/SKILL.md
CTF-Sandbox-Orchestrator/competition-ios-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-jwt-claim-confusion/SKILL.md
CTF-Sandbox-Orchestrator/competition-k8s-control-plane/SKILL.md
CTF-Sandbox-Orchestrator/competition-kerberos-delegation/SKILL.md
CTF-Sandbox-Orchestrator/competition-kernel-container-escape/SKILL.md
CTF-Sandbox-Orchestrator/competition-linux-credential-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-lsass-ticket-material/SKILL.md
CTF-Sandbox-Orchestrator/competition-mailbox-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-malware-config/SKILL.md
CTF-Sandbox-Orchestrator/competition-oauth-oidc-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-pcap-protocol/SKILL.md
CTF-Sandbox-Orchestrator/competition-prompt-injection/SKILL.md
CTF-Sandbox-Orchestrator/competition-queue-worker-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-race-condition-state-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-relay-coercion-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-request-normalization-smuggling/SKILL.md
CTF-Sandbox-Orchestrator/competition-runtime-routing/SKILL.md
CTF-Sandbox-Orchestrator/competition-ssrf-metadata-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-supply-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-template-render-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-websocket-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-windows-pivot/SKILL.md
skills/diagram-generator/SKILL.md
skills/edr-bypass-re/SKILL.md
skills/ida-reverse/SKILL.md
skills/reverse-engineering/SKILL.md

Metadata

Files
0
Version
1bec1f2
Hash
029cf398
Indexed
2026-07-05 18:44

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-09 04:23
浙ICP备14020137号-1 $Гость$