competition-lsass-ticket-material
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseCompetition LSASS Ticket Material
赛事场景LSASS票据材料
Use this skill only as a downstream specialization after is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to first.
$ctf-sandbox-orchestrator$ctf-sandbox-orchestratorUse this skill when the decisive host artifact lives in LSASS, ticket caches, or adjacent credential material and the hard part is proving what is replayable.
Reply in Simplified Chinese unless the user explicitly requests English.
仅在已激活并完成沙箱假设设定、节点所有权确认和证据优先级划分后,才可将此技能作为下游专项能力使用。如果还未完成上述步骤,请先返回处理。
$ctf-sandbox-orchestrator$ctf-sandbox-orchestrator当核心主机工件存在于LSASS、票据缓存或相邻凭据材料中,且核心难点是证明哪些内容可重放时,使用此技能。
除非用户明确要求使用英文,否则请使用简体中文回复。
Quick Start
快速开始
- Separate raw credential material from actually usable replay edges.
- Record logon session, LUID, ticket cache, package, account, and target service before broad conclusions.
- Keep host artifact, extracted secret, replay attempt, and resulting acceptance in one chain.
- Distinguish password, hash, ticket, DPAPI secret, SSP residue, and token by where each can actually be used.
- Reproduce the smallest host-artifact-to-accepted-privilege path that proves the decisive edge.
- 将原始凭据材料与实际可用的重放边界区分开。
- 在得出宽泛结论前,先记录登录会话、LUID、票据缓存、包、账户和目标服务信息。
- 将主机工件、提取的机密、重放尝试和最终的接受结果关联在同一链路中。
- 根据实际适用场景区分密码、哈希、票据、DPAPI机密、SSP残留和令牌。
- 复现能够证明核心边界的最短路径:从主机工件到已验证权限的完整链路。
Workflow
工作流程
1. Map LSASS And Adjacent Credential State
1. 梳理LSASS及相邻凭据状态
- Record logon sessions, LUIDs, ticket caches, package names, SSPs, DPAPI context, and any service-account material tied to the active path.
- Note whether the decisive value is a TGT, service ticket, delegated ticket, DPAPI secret, plaintext, hash, or package-specific secret.
- Keep host source, account context, and cache location tied together.
- 记录登录会话、LUID、票据缓存、包名称、SSP、DPAPI上下文,以及所有与活动路径关联的服务账户材料。
- 标注核心值的类型:TGT、服务票据、委派票据、DPAPI机密、明文、哈希或特定包专属机密。
- 将主机来源、账户上下文和缓存位置相互关联保存。
2. Prove Replay Or Acceptance
2. 验证重放或可接受性
- Show where the extracted material is accepted: SMB, WinRM, service ticket use, DPAPI unwrap, Schannel, or another host or service edge.
- Record SPN, target host, logon session, ticket flags, encryption type, and resulting privilege or token change.
- Distinguish material that is present from material that is actually replayable in this path.
- 说明提取的材料可被哪些场景接受:SMB、WinRM、服务票据使用、DPAPI解密、Schannel,或其他主机/服务边界。
- 记录SPN、目标主机、登录会话、票据标志、加密类型,以及产生的权限或令牌变更。
- 区分仅存在的材料和在此链路中实际可重放的材料。
3. Reduce To The Decisive Credential Chain
3. 提炼核心凭据链路
- Compress the result to the smallest sequence: host artifact -> extracted material -> accepted replay or unwrap -> resulting capability.
- State clearly whether the decisive edge lives in LSASS memory, ticket cache reuse, DPAPI context, or accepting service behavior.
- If the task broadens into full host-to-host pivoting, hand back to the tighter Windows pivot skill.
- 将结果压缩为最短序列:主机工件 -> 提取的材料 -> 被接受的重放或解密 -> 最终获得的能力。
- 明确说明核心边界属于LSASS内存、票据缓存复用、DPAPI上下文还是接受方服务行为。
- 如果任务扩展为完整的跨主机横向移动(pivot),请转回更匹配的Windows横向移动技能处理。
Read This Reference
参考资料
- Load for the session checklist, replay checklist, and evidence packaging.
references/lsass-ticket-material.md - If the task is specifically about DPAPI masterkeys, protected blobs, browser or vault stores, or proving which recovered DPAPI secret is accepted, prefer .
$competition-dpapi-credential-chain
- 加载查看会话检查清单、重放检查清单和证据打包规范。
references/lsass-ticket-material.md - 如果任务专门涉及DPAPI主密钥、受保护Blob、浏览器或保管库存储,或验证哪个恢复的DPAPI机密可被接受,请优先使用。
$competition-dpapi-credential-chain
What To Preserve
需要留存的内容
- LUIDs, session IDs, ticket types, SPNs, encryption types, package names, and cache or memory source
- The exact accepting host or service and the resulting privilege or logon effect
- One minimal host-artifact-to-replay sequence that proves the edge
- LUID、会话ID、票据类型、SPN、加密类型、包名称,以及缓存或内存来源
- 确切的接受方主机或服务,以及产生的权限或登录效果
- 一条能够证明边界的最短主机工件到重放的完整序列