The challenge is archived here: https://2022.ctf.kitctf.de/challenges#Date-2

Solution tldr:

• Enabled Memory corruption API + v8 sandbox
• Arbitrary read/write inside the V8 heap
• JS_FUNCTION objects for builtins (e.g. Math.min, console.log, ...) still contain full raw pointers (not sandboxed yet) to the executable region of the d8 binary
• ROP+JOP with the gadgets in the d8 executable region by overwriting Math.min->code->code_entry_point

For a proper explanation, please refer to the full writeup: https://ju256.de/posts/kitctfctf22-date/