一键导入
wss-terminal
Use when extracting WSS terminal connection parameters (URL, cookie, protocol type) from browser pages for wss_connect tool usage
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
菜单
Use when extracting WSS terminal connection parameters (URL, cookie, protocol type) from browser pages for wss_connect tool usage
用 Codex 或 Claude 帮你安装 复制这段 Prompt,粘贴到 Codex、Claude 或其他助手里,让它检查 Skill 页面并帮你完成安装。
基于 SOC 职业分类
Use when facing AI security challenges involving prompt injection, LLM jailbreaks, or AI agent exploitation
Use when facing binary exploitation (PWN) or reverse engineering challenges involving memory corruption, ROP chains, shellcode, binary analysis, decompilation, unpacking, or dynamic tracing
Use when facing cryptography challenges involving cipher analysis, key recovery, mathematical attacks, or protocol weaknesses
Use when transferring files between remote environments and local Docker containers via litterbox.catbox.moe relay or base64 chunked fallback
Use when facing digital forensics or misc challenges involving disk images, memory dumps, network captures, steganography, file format analysis, encoding puzzles, sandbox escapes, or archive manipulation
Use when conducting penetration testing, post-exploitation, lateral movement, domain attacks, cloud exploitation (AWS/GCP/Azure), container escape, or Kubernetes cluster attacks
| name | wss-terminal |
| description | Use when extracting WSS terminal connection parameters (URL, cookie, protocol type) from browser pages for wss_connect tool usage |
当页面包含 Web 终端(xterm.js 等)时,按以下步骤提取 WSS 直连参数。
navigate_page 打开目标页面take_snapshot 确认页面存在终端元素(.xterm、.terminal、Terminal input 等)将以下 JS 复制到 evaluate_script 中执行:
() => {
const scripts = Array.from(document.querySelectorAll('script:not([src])'));
let wsScript = null;
for (const s of scripts) {
const t = s.textContent;
if (t.match(/WebSocket|ws:\/\/|wss:\/\/|onData|sendInput/)) {
wsScript = t;
break;
}
}
let wsUrl = null;
if (wsScript) {
const urlMatch = wsScript.match(/["'\x60](wss?:\/\/[^"'\x60]+)["'\x60]/);
if (urlMatch) wsUrl = urlMatch[1];
if (!wsUrl && wsScript.includes('location.host')) {
const pathMatch = wsScript.match(/["'\x60](\/ws\/[^"'\x60]*)["'\x60]/);
if (pathMatch) wsUrl = 'wss://' + location.host + pathMatch[1];
}
}
return {
wsUrl,
hasSendInput: wsScript?.includes('sendInput') || false,
hasBinaryPrefix: wsScript?.includes('CLIENT_CMD') || false,
hasGottyPrefix: wsScript?.match(/['"]1['"].*send/) !== null,
hasXterm: !!document.querySelector('.xterm'),
scriptLength: wsScript?.length || 0
};
}
根据 Step 1 返回值映射:
| 特征 | 协议 |
|---|---|
hasSendInput=true 或 hasBinaryPrefix=true | ttyd |
hasGottyPrefix=true | gotty |
URL 包含 /wetty | wetty |
URL 包含 /api/v1/ + exec | k8s |
| 以上都不匹配 | generic |
evaluate_script(() => document.cookie)list_network_requests 获取同域请求列表get_network_request(reqid=<id>)Cookie 字段值Authorization header(Bearer token 等),用 extra_headers 传递从目标 URL 提取 Origin(scheme://host[:port]):
wss://example.com/ws/shell → origin = "https://example.com"
ws://10.0.0.1:8080/ws → origin = "http://10.0.0.1:8080"
规则:wss 对应 https,ws 对应 http。
wss_connect(
url=<Step1的wsUrl>,
cookie=<Step3a的cookie>,
protocol=<Step2的协议>,
origin=<Step3b的origin>,
extra_headers=<如有Authorization等额外header>,
subprotocols=<如服务器要求特定subprotocol,如["tty"]>
)
如果返回 4001 UNAUTHORIZED 或类似认证失败:
subprotocols(部分 ttyd 服务器要求 ["tty"])window.__wt 方式(参见 additionalContext 中的初始化脚本)如果 Step 1 的探测脚本未找到 WebSocket 代码(高度混淆/打包的 JS),则:
evaluate_script 获取所有 <script src> 的 URLWebFetch 下载 JS bundleWebSocket、ws://、wss:// 关键词