competition-dpapi-credential-chain
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCompetition Dpapi Credential Chain
竞赛用 DPAPI 凭证链
Use this skill only as a downstream specialization after is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to first.
$ctf-sandbox-orchestrator$ctf-sandbox-orchestratorUse this skill when the decisive Windows secret is DPAPI-protected and the hard part is proving which context unwraps it and where the plaintext is accepted.
Reply in Simplified Chinese unless the user explicitly requests English.
仅当 已激活并完成沙箱假设、节点归属和证据优先级设置后,才可将该技能作为下游专用能力使用。如果还未完成上述步骤,请先返回 流程。
$ctf-sandbox-orchestrator$ctf-sandbox-orchestrator当关键 Windows 机密受 DPAPI 保护,且核心难点是证明哪个上下文可以解密该机密、明文可在哪个环节被认可时,使用本技能。
除非用户明确要求使用英文,否则使用简体中文回复。
Quick Start
快速开始
- Separate protected blob, masterkey, decrypting context, and final accepting service.
- Record SID, user or machine context, masterkey path, vault or browser store, and target replay point before broad conclusions.
- Keep DPAPI source artifact, unwrap step, plaintext secret, and acceptance edge in one chain.
- Distinguish local user DPAPI, machine DPAPI, domain backup key use, and application-specific wrapping.
- Reproduce the smallest DPAPI-to-accepted-access path that proves the decisive edge.
- 拆分受保护 blob、主密钥、解密上下文和最终验证服务。
- 在得出宽泛结论前,先记录 SID、用户或设备上下文、主密钥路径、保管库或浏览器存储、目标重放点信息。
- 将 DPAPI 源工件、解密步骤、明机密文和验证环节串联为完整链路。
- 区分本地用户 DPAPI、设备 DPAPI、域备份密钥使用和特定应用封装的差异。
- 复现最小化的 DPAPI 到验证通过访问路径,证明关键利用链路的有效性。
Workflow
工作流
1. Map Protected Secret And DPAPI Context
1. 梳理受保护机密和 DPAPI 上下文
- Record blob source, masterkey location, SID, protector scope, profile path, credential store, and any application wrapper such as browser encryption or vault metadata.
- Note whether the decisive value lives in Credential Manager, Vault, browser cookies, browser passwords, Wi-Fi profiles, RDP files, or custom app storage.
- Keep protected artifact, masterkey candidate, and account or machine context tied together.
- 记录 blob 来源、主密钥位置、SID、保护范围、配置文件路径、凭证存储,以及任何应用封装层,例如浏览器加密或保管库元数据。
- 标注关键值的存储位置:凭据管理器、保管库、浏览器 Cookie、浏览器密码、Wi-Fi 配置、RDP 文件或自定义应用存储。
- 始终将受保护工件、候选主密钥、账户或设备上下文关联对应。
2. Prove Unwrap And Acceptance
2. 证明解密和验证有效性
- Show how the secret is decrypted: user logon material, machine context, domain backup key, or another recovered protector.
- Record plaintext type, target host or service, replay method, and resulting session, token, or data access.
- Distinguish successful blob decryption from actual accepted access.
- 演示机密的解密方式:用户登录凭证、设备上下文、域备份密钥或其他恢复得到的保护密钥。
- 记录明文类型、目标主机或服务、重放方法,以及最终获得的会话、令牌或数据访问权限。
- 区分 blob 成功解密与实际获得可被认可的访问权限的差异。
3. Reduce To The Decisive DPAPI Chain
3. 提炼为关键 DPAPI 链路
- Compress the result to the smallest sequence: protected artifact -> masterkey or unwrap context -> plaintext secret -> accepted replay or access -> resulting capability.
- State clearly whether the decisive edge lives in masterkey recovery, DPAPI scope confusion, application wrapper handling, or the service that accepts the recovered secret.
- If the task broadens into generic LSASS ticket material or full Windows pivoting, hand back to the tighter host or pivot skill.
- 将结果压缩为最小序列:受保护工件 -> 主密钥或解密上下文 -> 明文机密 -> 验证通过的重放或访问 -> 最终获得的能力。
- 明确说明关键利用链路的核心:主密钥恢复、DPAPI 范围混淆、应用封装层处理漏洞,还是接受恢复后机密的服务存在漏洞。
- 如果任务扩展到通用 LSASS 票据材料或完整 Windows 横向移动,请交回更贴合的主机或横向移动技能处理。
Read This Reference
参考资料
- Load for the blob checklist, masterkey checklist, and evidence packaging.
references/dpapi-credential-chain.md
- 加载 查看 blob 检查清单、主密钥检查清单和证据打包规范。
references/dpapi-credential-chain.md
What To Preserve
需要留存的信息
- Blob paths, masterkey paths, SIDs, protector scope, store names, and application wrapper details
- The exact accepting service or dataset unlocked by the recovered plaintext
- One minimal protected-artifact-to-accepted-access sequence that proves the edge
- Blob 路径、主密钥路径、SID、保护范围、存储名称和应用封装层细节
- 恢复得到的明文解锁的具体验证服务或数据集
- 证明利用链路有效的最小化受保护工件到验证通过访问序列