Tags: javascript browser unintended pwn debug

Rating:

An unintended solution: The challenge binary jsc was built as a debug binary, where the only modification was in the provided ArrayPrototype.cpp file.

So within the executable is all of the debug function available here, including readFile: https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/jsc.cpp#L517

Very conveniently, readFile can thus be called from the JS shell and give the flag.