Tags: javascript browser unintended pwn debug 


An unintended solution: The challenge binary `jsc` was built as a debug binary, where the only modification was in the provided ArrayPrototype.cpp file.

So within the executable is all of the debug function available here, including `readFile`: https://github.com/WebKit/webkit/blob/master/Source/JavaScriptCore/jsc.cpp#L517

Very conveniently, `readFile` can thus be called from the JS shell and give the flag.