> For the complete documentation index, see [llms.txt](https://learn.samuelepadula.it/learn/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://learn.samuelepadula.it/learn/hack-the-box/challenges/jscalc.md).

# jscalc

In the mysterious depths of the digital sea, a specialized JavaScript calculator has been crafted by tech-savvy squids. With multiple arms and complex problem-solving skills, these cephalopod engineers use it for everything from inkjet trajectory calculations to deep-sea math. Attempt to outsmart it at your own risk! 🦑

<figure><img src="/files/dnPtBGEwtJDrJjViWbgB" alt=""><figcaption></figcaption></figure>

If we analyze the request made by browser to the backend we see an endpoint called:

<figure><img src="/files/U5pnPurmNgBh0e9XaglY" alt=""><figcaption></figcaption></figure>

The result is passed by backend to frontend using JSON object.

The HTTP Header X-Powered-By tells us that we're speaking with Node.js.

The global object process can be used to gain more information on the current Node.js process. As it is global it is not necessary to use require(). It provides many useful properties and methods to get better control over system interactions.

`process.cwd()` for example returns the current working directory of the Node.js process.

<figure><img src="/files/V6WoligEZeLZEVfJOTwE" alt=""><figcaption></figcaption></figure>

`readdir()`

Just as the dir command in MS Windows or the ls command on Linux, it is possible to use the method `readdir` or `readdirSync` of the fs class to list the content of the directory . The difference between these both functions is that the latter is the synchronous version.

The ‘.’ points to the current directory. The ‘..’ reads the previous directory.

<figure><img src="/files/wAoJrg6RbX5sosLod5x2" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/xrWcrp0qluQoiCZ4A3C6" alt=""><figcaption></figcaption></figure>

`readFile()`

Once the file names are obtained, the attacker can use other commands to view the content of the data. The methods `readFile` or `readFileSync` provide the option to read the entire content of a file. Again the latter is the synchronous version. As argument just pass the path to the file for the synchronous version.

Retrieve the flag:

<figure><img src="/files/gx87rTZIuMpzabqPge2f" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/DTKrSOQaJuRChnpXq7oL" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://learn.samuelepadula.it/learn/hack-the-box/challenges/jscalc.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.