webPromedium
Lab 60 — CalcForge — RCE via Expression Evaluator Sandbox Escape
hackadvisor
Task: Node.js math expression evaluation API using math.js with unrestricted prototype chain access. Solution: Sandbox escape via constructor chain traversal (parse().constructor.constructor) to reach Function constructor and execute arbitrary code for file read.
$ ls tags/ techniques/
function_constructor_rceconstructor_chain_traversalmathjs_sandbox_escapefile_read_via_require_fs
🔒
Permission denied (requires tier.pro)
Sign in to access full writeups
Sign in with GitHub to continue. No email required.
$sign in$ grep --similar
Similar writeups
- [web][Pro]MetricForge— hackadvisor
- [web][Pro]Lab 134 — DocForge — FreeMarker SSTI Sandbox Escape via ?api Built-in— hackadvisor
- [web][Pro]Lab 116 — InsightForge — IDOR via Undocumented Internal API— hackadvisor
- [web][Pro]Lab 300 — PlanForge — Broken Authentication via Hidden Trial Activation— hackadvisor
- [web][Pro]Lab 320 — BuildForge — Path Traversal to RCE via CLI @File Expansion— hackadvisor