browser on Hackropole

Spidersaurus

Mon, 13 Apr 2026 00:00:00 +0000

After a few hiccups with the FORTH language, as well as the BASIC language, our developper has decided to get back to the roots of the multimedia Internet with the help of a JavaScript interpreter, SpiderMoney 1.3.

He assures us that no security vulnerability is exploitable, thanks to compilation flags; furthermore, he guarantees the code is safe from the Y2K bug.

However, an anonymous hacker has sent us an enigmatic file test.js which seems to trigger the read of uninitialized memory. Can you prove our developer wrong by reading the contents of the flag variable?

Spidersaurus Rex

Mon, 13 Apr 2026 00:00:00 +0000

Despite a memory access problem (see the Spidersaurus challenge), our developer insists on using this ancient version of SpiderMonkey.

He keeps assuring us there are no exploitable security flaws. However, an anonymous hacker sent us this mysterious message: “what happens if a function contains 65536 variables?”. Show our developer wrong by reading the contents of flag.txt.

After sending your JavaScript code, use shutdown(socket, SHUT_WR) to trigger its execution, and then read the potential response.
A JavaScript string can contain arbitrary binary content, for instance \u9090\u9090.
The memory allocation pattern will differ if the JavaScript code is provided as a file with the first argument, instead of using stdin.

Holy Cow

Mon, 15 Apr 2024 00:00:00 +0000

Our adventure began, as is often the case with this kind of project, with a chat over a drink. All more tipsy than the last, but with a common resolution: “Let’s make our own web browser!”.

Once half sobered up, we decided to start by choosing the right Javascript engine. The V8 engine is our first choice, as it has the advantage of being open source. Your task today is to check, using the git patch and the supplied executable, that everything is in order. To solve the challenge, we need to read the flag.txt file.