Back to Details

competition-relay-coercion-chain

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Competition Relay Coercion Chain

竞赛中继胁迫链

Use this skill only as a downstream specialization after 
$ctf-sandbox-orchestrator
is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to 
$ctf-sandbox-orchestrator
first.
Use this skill when the hard part is proving the full chain from forced authentication to a service that actually accepts the relayed identity.
Reply in Simplified Chinese unless the user explicitly requests English.
仅在
$ctf-sandbox-orchestrator
已激活并建立了沙箱假设、节点所有权和证据优先级后,才可将此技能作为下游专属技能使用。如果还未满足上述条件,请先回到
$ctf-sandbox-orchestrator
流程。
当核心难点是证明从强制身份认证到实际接受中继身份的服务的完整链路时,使用此技能。
除非用户明确要求使用英文,否则请用简体中文回复。

Quick Start

快速开始

  1. Split the chain into coercion source, captured auth, relay target, acceptance point, and resulting effect.
  2. Record transport, protocol, and service identity at each hop.
  3. Separate forced-auth generation from relay success and from downstream privilege.
  4. Keep coercion trigger, relay transcript, and accepting service in one evidence chain.
  5. Reproduce the smallest coercion-to-acceptance path that proves the decisive edge.
  1. 将链路拆分为胁迫源、捕获的身份认证信息、中继目标、接收点和最终效果。
  2. 记录每一跳的传输方式、协议和服务身份。
  3. 将强制身份认证生成、中继成功和下游权限获取三个环节区分开。
  4. 将胁迫触发器、中继记录和接收服务归入同一条证据链。
  5. 复现可证明决定性优势的最短胁迫到接收路径。

Workflow

工作流

1. Map The Coercion Source

1. 映射胁迫源

  • Identify the service, RPC, file path, printer path, WebDAV edge, or protocol trigger that forces authentication.
  • Record source host, coerced principal, transport, and any environmental preconditions.
  • Keep one compact note of exactly what causes the auth to leave the source.
  • 识别可触发强制身份认证的服务、RPC、文件路径、打印机路径、WebDAV边界或协议触发器。
  • 记录源主机、被胁迫主体、传输方式和所有环境前置条件。
  • 精简记录导致身份认证信息离开源端的准确触发条件。

2. Trace The Relay Target

2. 追踪中继目标

  • Record where the authentication lands, how it is forwarded, and which protocol or service consumes it.
  • Distinguish capture-only, replay-only, and actual relay acceptance.
  • Keep service name, target host, protocol, relay transcript, and acceptance response tied together.
  • 记录身份认证信息的落地位置、转发方式,以及消耗该信息的协议或服务。
  • 区分仅捕获、仅重放和实际中继接收三种情况。
  • 将服务名称、目标主机、协议、中继记录和接收响应关联保存。

3. Reduce To The Decisive Relay Chain

3. 精简为决定性中继链路

  • Compress the result to the smallest sequence: coercion trigger -> relayed auth -> accepted service -> resulting privilege or artifact.
  • State clearly whether the decisive weakness lives in the coercion source, the relay target, signing settings, or the accepted downstream service.
  • If the path ultimately becomes a certificate-enrollment issue or a pure Kerberos delegation edge, hand off to the tighter specialized skill.
  • 将结果压缩为最短序列:胁迫触发器 -> 中继身份认证信息 -> 服务接收 -> 最终权限或产物。
  • 明确说明决定性漏洞存在于胁迫源、中继目标、签名设置还是下游接收服务中。
  • 如果该路径最终属于证书注册问题或纯Kerberos委派边界,请移交到更适配的专属技能处理。

Read This Reference

参考资料

  • Load 
    references/relay-coercion-chain.md
    for the coercion checklist, relay checklist, and evidence packaging.
  • 加载
    references/relay-coercion-chain.md
    查看胁迫检查清单、中继检查清单和证据打包规范。

What To Preserve

需要留存的内容

  • Coercion trigger details, source host, coerced identity, target host, accepting service, and resulting effect
  • Relay transcripts, error or acceptance responses, and the exact protocol used at each hop
  • The smallest replayable coercion-to-acceptance sequence
  • 胁迫触发器详情、源主机、被胁迫身份、目标主机、接收服务和最终效果
  • 中继记录、错误或接收响应,以及每一跳使用的准确协议
  • 可复现的最短胁迫到接收序列