reversehard

Bring Your Own Program (BYOP)

uoftctf2026

Task: Custom JavaScript VM/emulator with an inline cache optimization, an object shape system, and a security allowlist blocking access to key 0 (file read function). Solution: Exploited an inline cache poisoning bug where dictionary mode transition reorders slots without bumping the cache version (due to missing hit flag on parent objects), causing a cached lookup to return the restricted F0 function instead of F1.

$ ls tags/ techniques/

javascript bytecode vm inline_cache jit

inline_cache_poisoningshape_transition_abusecache_invalidation_bypass

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

Create a free account with GitHub, then upgrade to Pro.

$ssh [email protected]