Back to Details

competition-linux-credential-pivot

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Linux Credential Pivot

赛事级Linux凭据横向移动

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the decisive edge is Linux credential material and where that material is accepted.
Reply in Simplified Chinese unless the user explicitly requests English.
仅当
$ctf-sandbox-orchestrator
已处于活跃状态,且已完成沙箱假设设定、节点归属确认和证据优先级划分后,才可作为下游专项技能使用本工具。如果尚未完成上述操作,请先回到
$ctf-sandbox-orchestrator
流程。
当问题的核心突破口是Linux凭据材料及其可被接纳的场景时,使用本技能。
除非用户明确要求使用英文,否则请用简体中文回复。

Quick Start

快速开始

  1. Separate credential storage from accepted privilege.
  2. Record user, process, namespace, socket, key file, and service trust boundary before conclusions.
  3. Keep artifact recovery, replay path, and resulting capability in one chain.
  4. Distinguish local escalation from lateral host pivot.
  5. Reproduce one minimal artifact-to-accepted-access path.
  1. 区分凭据存储位置和可授予的权限范围。
  2. 得出结论前先记录用户、进程、命名空间、套接字、密钥文件和服务信任边界。
  3. 将工件恢复、重放路径和最终获得的能力放在同一链路中梳理。
  4. 区分本地提权和跨主机横向移动。
  5. 复现一条从工件到获得访问权限的最简路径。

Workflow

工作流

1. Map Credential And Trust Artifacts

1. 梳理凭据与信任工件

  • Record SSH keys, agent sockets, kubeconfigs, cloud tokens, service-account secrets, env vars, config files, and process memory clues.
  • Note sudoers rules, capabilities, setuid binaries, systemd unit context, and namespace boundaries.
  • Keep each artifact tied to owner, scope, and expected accepting service.
  • 记录SSH密钥、agent套接字、kubeconfigs、云令牌、服务账户机密、环境变量、配置文件和进程内存线索。
  • 标注sudoers规则、能力集、setuid二进制文件、systemd单元上下文和命名空间边界。
  • 每个工件都要关联其所有者、适用范围和预期可接纳的服务。

2. Prove Replay And Pivot

2. 验证重放与横向移动

  • Show where key, token, socket, or secret is accepted: SSH, API, Unix socket, container runtime, or control-plane endpoint.
  • Record host target, protocol, principal, and resulting session or privilege.
  • Distinguish authentication success from useful capability gain.
  • 指明密钥、令牌、套接字或机密可被接纳的场景:SSH、API、Unix套接字、容器运行时或控制平面端点。
  • 记录目标主机、协议、主体以及最终获得的会话或权限。
  • 区分身份验证成功和实际获得有效能力两种情况。

3. Reduce To Decisive Linux Pivot Chain

3. 提炼核心Linux横向移动链

  • Compress to: recovered artifact -> accepted replay path -> pivot host or privilege transition -> resulting capability.
  • State whether root cause is weak key handling, token leakage, socket trust, sudo or capability abuse, or namespace crossover.
  • If the chain pivots into kernel exploit boundaries, hand off to kernel container escape skill.
  • 压缩为如下链路:恢复的工件 -> 可通过的重放路径 -> 横向移动到的主机或权限变更 -> 最终获得的能力。
  • 说明根因是密钥处理不当、令牌泄露、套接字信任问题、sudo或能力滥用,还是命名空间越界。
  • 如果链路涉及内核漏洞利用边界,请移交到内核容器逃逸技能处理。

Read This Reference

参考资料

  • Load 
    references/linux-credential-pivot.md
    for artifact checklists, replay matrix, and evidence packaging.
  • 加载
    references/linux-credential-pivot.md
    获取工件检查清单、重放矩阵和证据打包指南。

What To Preserve

需要留存的内容

  • Artifact path, owner, scope, accepting service, and resulting principal
  • Exact pivot order with protocol and target host or namespace
  • One minimal replayable chain proving capability gain
  • 工件路径、所有者、适用范围、接纳的服务和最终获得的主体权限
  • 带协议和目标主机/命名空间的准确横向移动顺序
  • 一条可复现的、证明获得能力的最简链路