Spidersaurus Rex

Description

Despite a memory access problem (see the Spidersaurus challenge), our developer insists on using this ancient version of SpiderMonkey.

He keeps assuring us there are no exploitable security flaws. However, an anonymous hacker sent us this mysterious message: “what happens if a function contains 65536 variables?”. Show our developer wrong by reading the contents of flag.txt.

After sending your JavaScript code, use shutdown(socket, SHUT_WR) to trigger its execution, and then read the potential response.
A JavaScript string can contain arbitrary binary content, for instance \u9090\u9090.
The memory allocation pattern will differ if the JavaScript code is provided as a file with the first argument, instead of using stdin.

Files

docker-compose.yml
JSRef.zip
373.12 KiB – e3d04ba7f65efa088ce64fc72b47962fe77dea6a9442a14b94f1b90f65972b58
spidersaurus-rex
1.30 MiB – 5908bf8dbb9c60657cb959a03c06b7adfbfc454886d17fa7d8233fb81eb97866
spidersaurus-rex.patch
6.67 KiB – 0da94d4b1f22a4b774bb5bb74b144ca9821470e2d2afc67624e578d0d7f30689

Author

cde

Challenge Instructions

First, download docker-compose.yml:
curl https://hackropole.fr/challenges/fcsc2026-pwn-spidersaurus-rex/docker-compose.public.yml -o docker-compose.yml
Launch the challenge by executing in the same folder:
docker compose up
Then, in another console, access the challenge with Netcat:
nc localhost 4000

⚠️ Important: You must solve the challenge by interacting with the Docker container through the exposed network port. Any other way is not considered valid.

In case you encounter problems, please consult the FAQ.

Flag

You don't have JavaScript actived. No problem! You can check your flag like this: echo -n 'PUT_THE_FLAG_HERE' | sha256sum # possible output: dc1b9f1bac79cb872b793cf0158769da393a40522d05ca187ef1debf45dad2d1

Writeups

There are no public solutions for this challenge yet, but you can submit yours after getting the flag.