competition-windows-pivot

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Chinese

Use this skill only as a downstream specialization after

$ctf-sandbox-orchestrator

is already active and has established sandbox assumptions, node ownership, and evidence priorities. If that has not happened yet, return to

$ctf-sandbox-orchestrator

first.

Use this skill when the challenge path is dominated by host-to-host movement, replayable ticket material, or Windows privilege edges.

Reply in Simplified Chinese unless the user explicitly requests English.

本技能仅可在

$ctf-sandbox-orchestrator

已激活，且已完成沙箱假设、节点所有权、证据优先级确认后，作为下游专项技能使用。如果尚未完成上述步骤，请先返回

$ctf-sandbox-orchestrator

流程。

当竞赛题目的解题路径以主机间移动、可重放票据材料或Windows权限边界为核心时使用本技能。

除非用户明确要求使用英文回复，否则请使用简体中文回复。

Compress the pivot into a concrete chain: foothold -> recovered artifact -> replay path -> pivot host -> resulting capability.
Separate stored credential material from usable privilege.
Keep host evidence, ticket evidence, and privilege effect on one timeline.
Record the exact accepting service or host for every replayed artifact.
Reproduce the smallest pivot that still proves the privilege edge.

Inspect SAM, SECURITY, SYSTEM, NTDS, DPAPI, LSA secrets, browser stores, PowerShell history, ETW, Sysmon, and event logs in the active path.
Distinguish password, hash, ticket, cookie, vault blob, or gMSA material by where it can actually be used.

检查当前路径中的SAM、SECURITY、SYSTEM、NTDS、DPAPI、LSA机密、浏览器存储、PowerShell历史记录、ETW、Sysmon以及事件日志。
根据密码、哈希、票据、Cookie、保管库blob、gMSA材料的实际可用场景进行区分。

Map the protocol actually used: WinRM, SMB, RDP, WMI, admin shares, remote registry, or service control.
When Kerberos matters, record SPN, delegation, PAC or group data, encryption type, and the accepting service.
When AD edges matter, inspect ACLs, GPO links, SIDHistory, delegation, certificate templates, and replication rights.

Keep the pivot path concrete and replayable.
State what artifact crossed which boundary and what capability appeared on the destination host.

Load
```
references/windows-pivot.md
```
for the pivot checklist, Kerberos evidence block, and common replay mistakes.
If the task is specifically about DPAPI masterkeys, browser or vault stores, protected blobs, or proving where a recovered DPAPI secret is accepted, prefer
```
$competition-dpapi-credential-chain
```
.
If the task is specifically about LSASS memory, ticket caches, replayable session material, or host-resident credential extraction, prefer
```
$competition-lsass-ticket-material
```
.
If the task is specifically about delegation edges, SPN trust, S4U flow, or which service accepts the delegated ticket, prefer
```
$competition-kerberos-delegation
```
.
If the hard part is forced authentication, coercion primitives, relay targets, or the service that accepts relayed auth, prefer
```
$competition-relay-coercion-chain
```
.

加载
```
references/windows-pivot.md
```
查看横向移动检查清单、Kerberos证据块以及常见的重放错误。
如果任务专门针对DPAPI主密钥、浏览器或保管库存储、受保护blob，或证明恢复的DPAPI机密可在哪里被接受，请优先使用
```
$competition-dpapi-credential-chain
```
。
如果任务专门针对LSASS内存、票据缓存、可重放会话材料或主机驻留凭证提取，请优先使用
```
$competition-lsass-ticket-material
```
。
如果任务专门针对委派边界、SPN信任、S4U流，或哪个服务接受委派票据，请优先使用
```
$competition-kerberos-delegation
```
。
如果难点在于强制认证、胁迫原语、中继目标或接受中继认证的服务，请优先使用
```
$competition-relay-coercion-chain
```
。