Agent Skillszhaoxuya520/reverse-skill › competition-ssrf-metadata-pivot

competition-ssrf-metadata-pivot

GitHub

CTF沙箱下游技能,用于追踪SSRF源、探测内网主机及元数据服务、提取凭证并分析权限提升链。需在主编排器激活后使用,专注于将服务端请求漏洞转化为实际访问权限的完整路径还原。

CTF-Sandbox-Orchestrator/competition-ssrf-metadata-pivot/SKILL.md zhaoxuya520/reverse-skill

Trigger Scenarios

用户要求追溯SSRF来源或内部主机可达性 需要分析元数据端点、令牌或凭证 pivoting 解释服务端请求如何转化为已接受的访问权限

Install

npx skills add zhaoxuya520/reverse-skill --skill competition-ssrf-metadata-pivot -g -y
More Options

Non-standard path

npx skills add https://github.com/zhaoxuya520/reverse-skill/tree/main/CTF-Sandbox-Orchestrator/competition-ssrf-metadata-pivot -g -y

Use without installing

npx skills use zhaoxuya520/reverse-skill@competition-ssrf-metadata-pivot

指定 Agent (Claude Code)

npx skills add zhaoxuya520/reverse-skill --skill competition-ssrf-metadata-pivot -a claude-code -g -y

安装 repo 全部 skill

npx skills add zhaoxuya520/reverse-skill --all -g -y

预览 repo 内 skill

npx skills add zhaoxuya520/reverse-skill --list

SKILL.md

Frontmatter
{
    "name": "competition-ssrf-metadata-pivot",
    "description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for SSRF reachability, internal route probing, metadata-service access, credential pivoting, and token-to-accepted-privilege chains. Use when the user asks to trace SSRF sources, internal hosts, metadata endpoints, link-local tokens, service-account credentials, or explain how a server-side fetch edge turns into accepted access. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}

Competition SSRF Metadata Pivot

Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.

Use this skill when the decisive path runs through server-side request capability, internal service reachability, or metadata-derived credentials.

Reply in Simplified Chinese unless the user explicitly requests English.

Quick Start

  1. Separate the SSRF source, forwarding layer, reachable target, and accepted downstream credential edge.
  2. Record request method, URL construction, header behavior, redirects, DNS or host overrides, and response shaping before mutation.
  3. Map internal host, metadata endpoint, token extraction, and accepting service as one chain.
  4. Distinguish read-only reachability from credential-bearing access.
  5. Reproduce the smallest SSRF-to-accepted-access path.

Workflow

1. Map SSRF Reachability

  • Record source primitive: URL parameter, webhook, image fetcher, importer, proxy endpoint, or backend callback.
  • Note normalization steps: scheme filtering, host allowlists, redirects, DNS resolution, path rewrite, and header injection.
  • Keep target host, protocol, and response behavior tied to the exact SSRF source.

2. Trace Metadata And Credential Pivot

  • Show whether metadata endpoints, internal control APIs, or workload identity services are reachable.
  • Record token fields, role scope, service account, expiration, and where the token is accepted.
  • Distinguish credential extraction success from accepted privilege at a downstream service.

3. Reduce To Decisive SSRF Chain

  • Compress to: SSRF source -> internal or metadata target -> credential or sensitive response -> accepted replay or API access.
  • State whether the decisive edge is parser bypass, allowlist bypass, redirect abuse, header confusion, or metadata trust.
  • If the task becomes mostly cloud identity policy analysis, hand off to the tighter cloud metadata skill.

Read This Reference

  • Load references/ssrf-metadata-pivot.md for SSRF checklists, metadata pivots, and evidence packaging.

What To Preserve

  • SSRF source point, URL construction rules, reachable hosts, and response deltas
  • Extracted token or credential fields, scope, and accepting service
  • One minimal SSRF-to-accepted-access replay path

Version History

  • 1bec1f2 Current 2026-07-05 18:46

Same Skill Collection

CTF-Sandbox-Orchestrator/competition-crypto-mobile/SKILL.md
CTF-Sandbox-Orchestrator/competition-reverse-pwn/SKILL.md
CTF-Sandbox-Orchestrator/competition-stego-media/SKILL.md
CTF-Sandbox-Orchestrator/competition-web-runtime/SKILL.md
CTF-Sandbox-Orchestrator/ctf-sandbox-orchestrator/SKILL.md
skills/apk-reverse/SKILL.md
skills/binary-diff/SKILL.md
skills/browser-automation/SKILL.md
skills/docs-generator/SKILL.md
skills/dotnet-reverse/SKILL.md
skills/firmware-pentest/SKILL.md
skills/js-reverse/SKILL.md
skills/patch-diff-exploit/SKILL.md
skills/pentest-tools/SKILL.md
skills/pentest-tools/src-hunter/SKILL.md
skills/pwn-chain/SKILL.md
skills/radare2/SKILL.md
CTF-Sandbox-Orchestrator/competition-ad-certificate-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-agent-cloud/SKILL.md
CTF-Sandbox-Orchestrator/competition-android-hooking/SKILL.md
CTF-Sandbox-Orchestrator/competition-browser-persistence/SKILL.md
CTF-Sandbox-Orchestrator/competition-bundle-sourcemap-recovery/SKILL.md
CTF-Sandbox-Orchestrator/competition-cloud-metadata-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-container-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-custom-protocol-replay/SKILL.md
CTF-Sandbox-Orchestrator/competition-dpapi-credential-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-file-parser-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-firmware-layout/SKILL.md
CTF-Sandbox-Orchestrator/competition-forensic-timeline/SKILL.md
CTF-Sandbox-Orchestrator/competition-graphql-rpc-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-identity-windows/SKILL.md
CTF-Sandbox-Orchestrator/competition-ios-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-jwt-claim-confusion/SKILL.md
CTF-Sandbox-Orchestrator/competition-k8s-control-plane/SKILL.md
CTF-Sandbox-Orchestrator/competition-kerberos-delegation/SKILL.md
CTF-Sandbox-Orchestrator/competition-kernel-container-escape/SKILL.md
CTF-Sandbox-Orchestrator/competition-linux-credential-pivot/SKILL.md
CTF-Sandbox-Orchestrator/competition-lsass-ticket-material/SKILL.md
CTF-Sandbox-Orchestrator/competition-mailbox-abuse/SKILL.md
CTF-Sandbox-Orchestrator/competition-malware-config/SKILL.md
CTF-Sandbox-Orchestrator/competition-oauth-oidc-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-pcap-protocol/SKILL.md
CTF-Sandbox-Orchestrator/competition-prompt-injection/SKILL.md
CTF-Sandbox-Orchestrator/competition-queue-worker-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-race-condition-state-drift/SKILL.md
CTF-Sandbox-Orchestrator/competition-relay-coercion-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-request-normalization-smuggling/SKILL.md
CTF-Sandbox-Orchestrator/competition-runtime-routing/SKILL.md
CTF-Sandbox-Orchestrator/competition-supply-chain/SKILL.md
CTF-Sandbox-Orchestrator/competition-template-render-path/SKILL.md
CTF-Sandbox-Orchestrator/competition-websocket-runtime/SKILL.md
CTF-Sandbox-Orchestrator/competition-windows-pivot/SKILL.md
skills/diagram-generator/SKILL.md
skills/edr-bypass-re/SKILL.md
skills/ida-reverse/SKILL.md
skills/reverse-engineering/SKILL.md

Metadata

Files
0
Version
1bec1f2
Hash
e54eea6f
Indexed
2026-07-05 18:46

trang chủ - Wiki
Copyright © 2011-2026 iteam. Current version is 2.155.2. UTC+08:00, 2026-07-09 05:30
浙ICP备14020137号-1 $bản đồ khách truy cập$