Lab 60 — CalcForge — RCE via Expression Evaluator Sandbox Escape

hackadvisor

Task: Node.js math expression evaluation API using math.js with unrestricted prototype chain access. Solution: Sandbox escape via constructor chain traversal (parse().constructor.constructor) to reach Function constructor and execute arbitrary code for file read.

rce file_read nodejs sandbox_escape prototype_chain mathjs expression_evaluator constructor_chain

function_constructor_rceconstructor_chain_traversalmathjs_sandbox_escapefile_read_via_require_fs

$ ls tags/ techniques/

rce file_read nodejs sandbox_escape prototype_chain mathjs expression_evaluator constructor_chain

function_constructor_rceconstructor_chain_traversalmathjs_sandbox_escapefile_read_via_require_fs

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 129 — ReqForge — RCE via VM Sandbox Escape— hackadvisor
[web][Pro]MetricForge— hackadvisor
[web][Pro]Lab 252 — BuildForge — RCE via npm Lifecycle Script Injection— hackadvisor
[web][Pro]Lab 316 — InsightForge — JWT Secret Leak to RCE via Command Injection— hackadvisor
[web][Pro]Lab 134 — DocForge — FreeMarker SSTI Sandbox Escape via ?api Built-in— hackadvisor