Agent Skillszhaoxuya520/reverse-skill › competition-runtime-routing

competition-runtime-routing

GitHub

CTF沙箱内网路由解析技能。用于在父技能建立假设后,分析反向代理、Host头、WebSocket升级及路径重写等如何影响请求路由。通过构建端到端路由映射,定位具体服务节点并证明关键路由偏差,解决域名归属与跨边界路由问题。

CTF-Sandbox-Orchestrator/competition-runtime-routing/SKILL.md zhaoxuya520/reverse-skill

Trigger Scenarios

询问哪个主机或容器服务于特定路由 分析Host头或代理配置对行为的影响 解析跨代理、容器和Worker的路由逻辑 解释公共域名仍属于沙箱的原因

Install

npx skills add zhaoxuya520/reverse-skill --skill competition-runtime-routing -g -y
More Options

Non-standard path

npx skills add https://github.com/zhaoxuya520/reverse-skill/tree/main/CTF-Sandbox-Orchestrator/competition-runtime-routing -g -y

Use without installing

npx skills use zhaoxuya520/reverse-skill@competition-runtime-routing

指定 Agent (Claude Code)

npx skills add zhaoxuya520/reverse-skill --skill competition-runtime-routing -a claude-code -g -y

安装 repo 全部 skill

npx skills add zhaoxuya520/reverse-skill --all -g -y

预览 repo 内 skill

npx skills add zhaoxuya520/reverse-skill --list

SKILL.md

Frontmatter
{
    "name": "competition-runtime-routing",
    "description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for reverse proxies, Host headers, forwarded headers, vhost routing, websocket upgrades, path-prefix rewriting, base-URL derivation, and multi-node route resolution. Use when the user asks which host or container serves a route, why a public-looking domain still belongs to the sandbox, how headers or proxies change behavior, or how a route resolves across proxy, container, and worker boundaries. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}

Competition Runtime Routing

Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.

Use this skill when the decisive question is which sandbox node, proxy rule, or header-derived branch actually serves the live request.

Reply in Simplified Chinese unless the user explicitly requests English.

Quick Start

  1. Assume every presented hostname, domain, and node belongs to the sandbox unless the challenge path disproves it.
  2. Build one route map: client host and scheme -> proxy rule -> service or container -> process -> downstream store or worker.
  3. Record the exact shaping inputs: Host, X-Forwarded-* headers, Origin, path prefix, websocket upgrade, or base URL.
  4. Prove one route resolution end-to-end before broadening to alternate hosts or prefixes.
  5. Re-run the same request with one routing input changed at a time.

Workflow

1. Map Route Inputs

  • Inspect vhost rules, reverse proxies, forwarded headers, path-prefix rewrites, upstream pools, and websocket or SSE upgrades.
  • Note which parts of the request influence routing or app behavior: host, scheme, port, path, prefix, cookie scope, or origin.
  • Treat public-looking domains, cloud hostnames, and separate VPS nodes as sandbox routing fixtures first.

2. Trace Route To Live Consumer

  • Map hostname to proxy rule to container or process to port to downstream service.
  • Compare checked-in proxy intent against live listeners, mounted configs, runtime env, and observed traffic.
  • Keep headers, proxy config, and live request traces tied together in one evidence chain.

3. Prove The Decisive Deviation

  • Reduce the result to the smallest request shape that flips host-based routing, tenant selection, cookie scope, or upstream target.
  • Distinguish route resolution from application auth logic; prove where each decision really happens.
  • If the problem shifts from routing to general web state or container runtime drift, switch back to the broader parent skill.

Read This Reference

  • Load references/runtime-routing.md for the routing checklist, header matrix, and evidence packaging.
  • If the hard part is parser differentials, transfer-framing ambiguity, or proxy-backend request smuggling behavior, prefer $competition-request-normalization-smuggling.

What To Preserve

  • Hostnames, proxy snippets, header sets, path prefixes, listener ports, and route-specific cookies
  • The exact request shape that reaches the decisive backend or branch
  • One compact host -> proxy -> service -> process map for the active path

Version History

  • 1bec1f2 Current 2026-07-05 18:46

Same Skill Collection

CTF-Sandbox-Orchestrator/competition-crypto-mobile/SKILL.md
CTF-Sandbox-Orchestrator/competition-reverse-pwn/SKILL.md
CTF-Sandbox-Orchestrator/competition-stego-media/SKILL.md
CTF-Sandbox-Orchestrator/competition-web-runtime/SKILL.md
CTF-Sandbox-Orchestrator/ctf-sandbox-orchestrator/SKILL.md
skills/apk-reverse/SKILL.md
skills/binary-diff/SKILL.md
skills/browser-automation/SKILL.md
skills/docs-generator/SKILL.md
skills/dotnet-reverse/SKILL.md
skills/firmware-pentest/SKILL.md
skills/js-reverse/SKILL.md
skills/patch-diff-exploit/SKILL.md
skills/pentest-tools/SKILL.md
skills/pentest-tools/src-hunter/SKILL.md
skills/pwn-chain/SKILL.md
skills/radare2/SKILL.md
CTF-Sandbox-Orchestrator/competition-ad-certificate-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-agent-cloud/SKILL.md
CTF-Sandbox-Orchestrator/competition-android-hooking/SKILL.md
CTF-Sandbox-Orchestrator/competition-browser-persistence/SKILL.md
CTF-Sandbox-Orchestrator/competition-bundle-sourcemap-recovery/SKILL.md
CTF-Sandbox-Orchestrator/competition-cloud-metadata-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-container-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-custom-protocol-replay/SKILL.md
CTF-Sandbox-Orchestrator/competition-dpapi-credential-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-file-parser-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-firmware-layout/SKILL.md
CTF-Sandbox-Orchestrator/competition-forensic-timeline/SKILL.md
CTF-Sandbox-Orchestrator/competition-graphql-rpc-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-identity-windows/SKILL.md
CTF-Sandbox-Orchestrator/competition-ios-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-jwt-claim-confusion/SKILL.md
CTF-Sandbox-Orchestrator/competition-k8s-control-plane/SKILL.md
CTF-Sandbox-Orchestrator/competition-kerberos-delegation/SKILL.md
CTF-Sandbox-Orchestrator/competition-kernel-container-escape/SKILL.md
CTF-Sandbox-Orchestrator/competition-linux-credential-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-lsass-ticket-material/SKILL.md
CTF-Sandbox-Orchestrator/competition-mailbox-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-malware-config/SKILL.md
CTF-Sandbox-Orchestrator/competition-oauth-oidc-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-pcap-protocol/SKILL.md
CTF-Sandbox-Orchestrator/competition-prompt-injection/SKILL.md
CTF-Sandbox-Orchestrator/competition-queue-worker-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-race-condition-state-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-relay-coercion-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-request-normalization-smuggling/SKILL.md
CTF-Sandbox-Orchestrator/competition-ssrf-metadata-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-supply-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-template-render-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-websocket-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-windows-pivot/SKILL.md
skills/diagram-generator/SKILL.md
skills/edr-bypass-re/SKILL.md
skills/ida-reverse/SKILL.md
skills/reverse-engineering/SKILL.md

Metadata

Files
0
Version
1bec1f2
Hash
2d49d8e9
Indexed
2026-07-05 18:46

Главная - Вики-сайт
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-08 22:21
浙ICP备14020137号-1 $Гость$