competition-ssrf-metadata-pivot
GitHubCTF沙箱下游技能,用于追踪SSRF源、探测内网主机及元数据服务、提取凭证并分析权限提升链。需在主编排器激活后使用,专注于将服务端请求漏洞转化为实际访问权限的完整路径还原。
Trigger Scenarios
Install
npx skills add zhaoxuya520/reverse-skill --skill competition-ssrf-metadata-pivot -g -y
SKILL.md
Frontmatter
{
"name": "competition-ssrf-metadata-pivot",
"description": "Internal downstream skill for ctf-sandbox-orchestrator. CTF-sandbox workflow for SSRF reachability, internal route probing, metadata-service access, credential pivoting, and token-to-accepted-privilege chains. Use when the user asks to trace SSRF sources, internal hosts, metadata endpoints, link-local tokens, service-account credentials, or explain how a server-side fetch edge turns into accepted access. Use only after `$ctf-sandbox-orchestrator` has already established sandbox assumptions and routed here."
}
Competition SSRF Metadata Pivot
Use this skill only as a downstream specialization after $ctf-sandbox-orchestrator is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to $ctf-sandbox-orchestrator first.
Use this skill when the decisive path runs through server-side request capability, internal service reachability, or metadata-derived credentials.
Reply in Simplified Chinese unless the user explicitly requests English.
Quick Start
- Separate the SSRF source, forwarding layer, reachable target, and accepted downstream credential edge.
- Record request method, URL construction, header behavior, redirects, DNS or host overrides, and response shaping before mutation.
- Map internal host, metadata endpoint, token extraction, and accepting service as one chain.
- Distinguish read-only reachability from credential-bearing access.
- Reproduce the smallest SSRF-to-accepted-access path.
Workflow
1. Map SSRF Reachability
- Record source primitive: URL parameter, webhook, image fetcher, importer, proxy endpoint, or backend callback.
- Note normalization steps: scheme filtering, host allowlists, redirects, DNS resolution, path rewrite, and header injection.
- Keep target host, protocol, and response behavior tied to the exact SSRF source.
2. Trace Metadata And Credential Pivot
- Show whether metadata endpoints, internal control APIs, or workload identity services are reachable.
- Record token fields, role scope, service account, expiration, and where the token is accepted.
- Distinguish credential extraction success from accepted privilege at a downstream service.
3. Reduce To Decisive SSRF Chain
- Compress to: SSRF source -> internal or metadata target -> credential or sensitive response -> accepted replay or API access.
- State whether the decisive edge is parser bypass, allowlist bypass, redirect abuse, header confusion, or metadata trust.
- If the task becomes mostly cloud identity policy analysis, hand off to the tighter cloud metadata skill.
Read This Reference
- Load
references/ssrf-metadata-pivot.mdfor SSRF checklists, metadata pivots, and evidence packaging.
What To Preserve
- SSRF source point, URL construction rules, reachable hosts, and response deltas
- Extracted token or credential fields, scope, and accepting service
- One minimal SSRF-to-accepted-access replay path
Version History
- 1bec1f2 Current 2026-07-05 18:46


