NoFlyFre/breachlab-writeups

GitHub: NoFlyFre/breachlab-writeups

BreachLab 网络安全演练平台三个赛道共 95 个关卡的通关 writeup 集合,系统记录了从枚举、后渗透到 Web 利用的全流程攻防训练笔记。

Stars: 0 | Forks: 0

# BreachLab Writeups [BreachLab](https://breachlab.org) wargame 的 writeup,这是我用来训练攻防技术的演练场。 ![Ghost Track](https://img.shields.io/badge/Ghost_Track-23%2F23-brightgreen) ![Phantom Track](https://img.shields.io/badge/Phantom_Track-18%2F31-yellow) ![Mirage Track](https://img.shields.io/badge/Mirage_Track-7%2F41-orange) ![Doctrine](https://img.shields.io/badge/doctrine-no%20spoilers-blueviolet) ## 这个 repo 是什么 这里收集了我已解决的 BreachLab 关卡的 writeup,分为三个 track:Ghost(枚举和 credential hunting 基础)、Phantom(post-exploitation 和操作 tradecraft)和 Mirage(侦察和 Web 应用程序利用)。 每个 writeup 都记录了在你的关卡实例上复现操作所需的思路、工具和步骤。 ## 结构 每个关卡都位于其独立的文件夹中,命名格式为 `/`,使用两位数字编号以保持正确的顺序。在公开的 repo 中,每个文件夹只包含一个文件: ``` ghost_track/ ghost00/ writeup.md <- unico file pubblico: metodo, nessuno spoiler phantom_track/ phantom00/ writeup.md mirage_track/ mirage00/ writeup.md ``` 原始笔记(`notes.md`、日志和完整的终端输出)以及包含真实值的完整版本(`writeup.uncensored.md`)都保存在本地,永远不会上传到网上:它们通过 `.gitignore` 排除。 ## 原则 BreachLab 对编写 writeup 的人有两个要求: 这里的每个 writeup 都遵守这两点:完整讲述 recon、漏洞和利用过程,但排除了任何能让人跳过思考过程的值。 ## Ghost Track — 已解决 23/23 Linux 和 shell 基础:熟悉终端、文件系统、进程、网络、编码和权限。 | # | 关卡 | 状态 | Writeup | |---|---------|:-----:|---------| | 0 | First Contact | ✅ | [writeup](ghost_track/ghost00/writeup.md) | | 1 | Name Game | ✅ | [writeup](ghost_track/ghost01/writeup.md) | | 2 | In The Shadows | ✅ | [writeup](ghost_track/ghost02/writeup.md) | | 3 | Access Denied | ✅ | [writeup](ghost_track/ghost03/writeup.md) | | 4 | Signal in the Noise | ✅ | [writeup](ghost_track/ghost04/writeup.md) | | 5 | The Listener | ✅ | [writeup](ghost_track/ghost05/writeup.md) | | 6 | Ghost in the Machine | ✅ | [writeup](ghost_track/ghost06/writeup.md) | | 7 | Lost in Translation | ✅ | [writeup](ghost_track/ghost07/writeup.md) | | 8 | Something's Running | ✅ | [writeup](ghost_track/ghost08/writeup.md) | | 9 | Core Dump | ✅ | [writeup](ghost_track/ghost09/writeup.md) | | 10 | Odd Token Out | ✅ | [writeup](ghost_track/ghost10/writeup.md) | | 11 | Unwrap the Stage | ✅ | [writeup](ghost_track/ghost11/writeup.md) | | 12 | Harvested Key | ✅ | [writeup](ghost_track/ghost12/writeup.md) | | 13 | Credential Broker | ✅ | [writeup](ghost_track/ghost13/writeup.md) | | 14 | TLS Only | ✅ | [writeup](ghost_track/ghost14/writeup.md) | | 15 | Ephemeral Port | ✅ | [writeup](ghost_track/ghost15/writeup.md) | | 16 | Config Drift | ✅ | [writeup](ghost_track/ghost16/writeup.md) | | 17 | No Shell For You | ✅ | [writeup](ghost_track/ghost17/writeup.md) | | 18 | Wrong User | ✅ | [writeup](ghost_track/ghost18/writeup.md) | | 19 | Your First Script | ✅ | [writeup](ghost_track/ghost19/writeup.md) | | 20 | Cron Discovery | ✅ | [writeup](ghost_track/ghost20/writeup.md) | | 21 | Secrets in History | ✅ | [writeup](ghost_track/ghost21/writeup.md) | | 22 | Graduation (classified) | ✅ | [writeup](ghost_track/ghost22/writeup.md) | ## Phantom Track — 已解决 18/31 从头到尾的 post-exploitation:privesc、收集和持久化、横向移动、容器和云、操作。
展开表格 | # | 关卡 | 状态 | Writeup | |---|---------|:-----:|---------| | 0 | Recon Gateway | ✅ | [writeup](phantom_track/phantom00/writeup.md) | | 1 | SUID Hunter | ✅ | [writeup](phantom_track/phantom01/writeup.md) | | 2 | Sudo Games | ✅ | [writeup](phantom_track/phantom02/writeup.md) | | 3 | Inheritance | ✅ | [writeup](phantom_track/phantom03/writeup.md) | | 4 | Misplaced Power | ✅ | [writeup](phantom_track/phantom04/writeup.md) | | 5 | File Authority | ✅ | [writeup](phantom_track/phantom05/writeup.md) | | 6 | Scheduled Sins | ✅ | [writeup](phantom_track/phantom06/writeup.md) | | 7 | Local Authority | ✅ | [writeup](phantom_track/phantom07/writeup.md) | | 8 | Live Injection | ✅ | [writeup](phantom_track/phantom08/writeup.md) | | 9 | Stack Day(可选 · ephemeral) | ✅ | [writeup](phantom_track/phantom09/writeup.md) | | 10 | The Harvest | ✅ | [writeup](phantom_track/phantom10/writeup.md) | | 11 | Token Hunter | ✅ | [writeup](phantom_track/phantom11/writeup.md) | | 12 | Ghost Install | ✅ | [writeup](phantom_track/phantom12/writeup.md) | | 13 | Deep Roots | ✅ | [writeup](phantom_track/phantom13/writeup.md) | | 14 | Shadow Mode | ✅ | [writeup](phantom_track/phantom14/writeup.md) | | 15 | Clean Slate | ✅ | [writeup](phantom_track/phantom15/writeup.md) | | 16 | The Tunnel | ✅ | [writeup](phantom_track/phantom16/writeup.md) | | 17 | Internal Hunt | ✅ | [writeup](phantom_track/phantom17/writeup.md) | | 18 | Credential Spray | 🔍 尚未解决 | [writeup](phantom_track/phantom18/writeup.md) | | 19 | Chain Reaction | 🔍 尚未解决 | [writeup](phantom_track/phantom19/writeup.md) | | 20 | Am I Contained? | 🔍 尚未解决 | [writeup](phantom_track/phantom20/writeup.md) | | 21 | The Breakout | 🔍 尚未解决 | [writeup](phantom_track/phantom21/writeup.md) | | 22 | Leaky Vessels | 🔍 尚未解决 | [writeup](phantom_track/phantom22/writeup.md) | | 23 | Docker API | 🔍 尚未解决 | [writeup](phantom_track/phantom23/writeup.md) | | 24 | Pod Games | 🔍 尚未解决 | [writeup](phantom_track/phantom24/writeup.md) | | 25 | Cluster Takeover | 🔍 尚未解决 | [writeup](phantom_track/phantom25/writeup.md) | | 26 | Cloud Reach | 🔍 尚未解决 | [writeup](phantom_track/phantom26/writeup.md) | | 27 | Toolsmith | 🔍 尚未解决 | [writeup](phantom_track/phantom27/writeup.md) | | 28 | The Heist | 🔍 尚未解决 | [writeup](phantom_track/phantom28/writeup.md) | | 29 | Wire Tap | 🔍 尚未解决 | [writeup](phantom_track/phantom29/writeup.md) | | 30 | Clean Exit | 🔍 尚未解决 | [writeup](phantom_track/phantom30/writeup.md) |
## Mirage Track — 已解决 7/41 Web 应用程序利用,从客户端 recon 到针对 AI 和 LLM 的攻击。 | # | 关卡 | 状态 | Writeup | |---|---------|:-----:|---------| | 0 | Nothing Is Secret | ✅ | [writeup](mirage_track/mirage00/writeup.md) | | 1 | The Wire | ✅ | [writeup](mirage_track/mirage01/writeup.md) | | 2 | Peel the Encoding | ✅ | [writeup](mirage_track/mirage02/writeup.md) | | 3 | Source Maps Talk | ✅ | [writeup](mirage_track/mirage03/writeup.md) | | 4 | Left in the Open | ✅ | [writeup](mirage_track/mirage04/writeup.md) | | 5 | Trust the Client | ✅ | [writeup](mirage_track/mirage05/writeup.md) | | 6 | Other People's Objects | ✅ | [writeup](mirage_track/mirage06/writeup.md) | 该 track 一直持续到第 40 关。文件夹已经存在;随着我解决关卡,我会逐步添加 writeup。目前正在处理的是第 7 关、第 8 关(Keys in the Bundle)、第 9 关(Over-Posting)和第 10 关,最后一关仍然开放。 ## 致谢 该实验室是 [BreachLab](https://breachlab.org)。如果这些 writeup 帮助你构建了能为你带来收益的东西,请考虑捐赠:[breachlab.org/donate](https://breachlab.org/donate)。 如果你在某个关卡卡住了,请前往 Discord 上对应 track 的求助帖子中提问。
标签:CISA项目, OPA, StruQ, Web安全, Web报告查看器, 协议分析, 子域名突变, 数据展示, 权限提升, 红队, 网络安全, 蓝队分析, 请求拦截, 防御加固, 隐私保护, 靶场