Back to Details

competition-mailbox-abuse

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Mailbox Abuse

竞赛场景邮箱滥用

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the decisive path runs through mailbox behavior, consent flow, or message-routing effects rather than generic AD evidence alone.
Reply in Simplified Chinese unless the user explicitly requests English.
本技能仅可作为下游专项能力,在
$ctf-sandbox-orchestrator
已激活并完成沙箱假设、节点归属、证据优先级确认后使用。如果上述前置条件未满足,请先返回
$ctf-sandbox-orchestrator
流程。
当问题的核心判定路径围绕邮箱行为、授权流程或消息路由效果展开,而非仅依赖通用AD证据时,使用本技能。
除非用户明确要求使用英文,否则请用简体中文回复。

Quick Start

快速开始

  1. Decide whether the active path is phishing-to-consent, token-to-mailbox, rule-based persistence, or transport-level mail rerouting.
  2. Keep mailbox evidence, identity evidence, and message-trace evidence tied to the same user, mailbox, token, or message ID.
  3. Separate possession of a token or delegate edge from the actual mailbox effect it enables.
  4. Record forwarding targets, rule predicates, consent scopes, shared mailbox edges, and resulting mail flow in compact blocks.
  5. Reproduce the smallest mail effect that proves persistence, exfiltration, or privilege.
  1. 判断当前核心路径属于钓鱼转授权、token转邮箱、基于规则的权限持久化,还是传输层邮件重路由类型。
  2. 确保邮箱证据、身份证据、邮件追踪证据都关联到同一个用户、邮箱、token或消息ID。
  3. 区分token或委派关系的所有权,与其所能实现的实际邮箱影响。
  4. 将转发目标、规则判定条件、授权范围、共享邮箱关联关系、最终邮件流向记录为紧凑块。
  5. 复现可证明权限持久化、数据外带或提权的最小邮箱影响。

Workflow

工作流

1. Map The Mail Trust Path

1. 映射邮件信任路径

  • Identify the principal, mailbox, token or session, consent grant, delegate edge, shared mailbox relationship, or app registration involved.
  • Record consent scopes, mailbox permissions, rule ownership, transport actions, and message-trace identifiers.
  • Distinguish client-visible symptoms from server-side mailbox or transport state.
  • 识别涉及的主体、邮箱、token或会话、授权许可、委派关系、共享邮箱关联或应用注册信息。
  • 记录授权范围、邮箱权限、规则所有者、传输动作、邮件追踪标识符。
  • 区分客户端可见异常与服务端邮箱或传输状态。

2. Prove The Mailbox Effect

2. 验证邮箱影响

  • Correlate consent logs, sign-ins, message traces, inbox rules, transport rules, forwarding settings, and mailbox audit events.
  • Show which rule or token produces which concrete effect: silent forwarding, marking read, deletion, delegate access, or message rerouting.
  • Keep message IDs, sender or recipient pairs, and timestamps aligned across logs.
  • 关联授权日志、登录记录、邮件追踪、收件箱规则、传输规则、转发设置、邮箱审计事件。
  • 说明哪条规则或哪个token产生了哪种具体影响:静默转发、标记已读、删除、委派访问或消息重路由。
  • 确保所有日志中的消息ID、发件人/收件人对、时间戳对齐。

3. Reduce To The Decisive Abuse Chain

3. 提炼核心滥用链路

  • Compress the path to the smallest sequence: lure or grant -> token or delegate edge -> mailbox or transport mutation -> resulting mail effect.
  • State clearly whether persistence lives in consent, mailbox rules, transport config, or shared mailbox permissions.
  • If the task broadens into host pivots or Kerberos acceptance, switch back to the broader identity skill.
  • 将路径压缩为最小序列:诱饵或授权 -> token或委派关系 -> 邮箱或传输配置变更 -> 最终邮箱影响。
  • 明确说明权限持久化的载体是授权、邮箱规则、传输配置还是共享邮箱权限。
  • 如果任务范围扩展到主机 pivot 或 Kerberos 认证场景,请切换回更通用的身份类技能。

Read This Reference

参考资料

  • Load 
    references/mailbox-abuse.md
    for the consent checklist, rule checklist, and evidence packaging.
  • 加载
    references/mailbox-abuse.md
    获取授权检查清单、规则检查清单和证据打包规范。

What To Preserve

需留存内容

  • Consent scopes, token claims, mailbox permissions, rule definitions, forwarding targets, and message IDs
  • Message-trace lines, audit events, and mailbox effects tied to the same mail path
  • The smallest replayable sequence that proves persistence, exfiltration, or delegate access
  • 授权范围、token声明、邮箱权限、规则定义、转发目标和消息ID
  • 关联到同一条邮件路径的邮件追踪记录、审计事件和邮箱影响
  • 可复现的、能证明权限持久化、数据外带或委派访问的最小序列