https://nodejs.org/docs/latest-v26.x/api/vm.html#vm-executing-javascript
The
node:vmmodule is not a security mechanism. Do not use it to run untrusted code.
I do not believe so
Beginner Hint 1: Challenge Overview (AI-translated)
- If you read the distributed
jail.js, you can see that the JavaScript code you input is executed withrunInNewContextfromnode:vm. - Roughly speaking,
runInNewContextis used asrunInNewContext(code, contextObject, options). The first argument is the code to execute, the second argument is the global object visible from that code, and the third argument is the runtime options. - In this challenge,
runInNewContext(code.toString(), {}, { timeout: 1000 })is executed. In other words, your input code is executed in a new context, and an empty{}is passed as the global object.timeout: 1000is a setting to stop execution that runs for too long. - The flag is stored in the environment variable
FLAG, and in normal Node.js code, you can obtain it withprocess.env.FLAG. However, in this challenge, the{}passed as the second argument torunInNewContextdoes not containprocess, so it fails withReferenceError: process is not defined. - So how can you obtain
FLAG?
Beginner Hint 2: Approach (AI-translated)
- At first glance, it looks like you cannot access objects such as
process, but that is not actually the case. - In JavaScript, when reading an object's property, if the property does not exist on the object itself, properties on the prototype chain are also searched.
- In the vm context, focus especially on the
constructorproperty among the properties visible fromglobalThis, and try investigating it.
Beginner Hint 3: A More Detailed Approach (AI-translated)
globalThis.constructor.constructorbecomes theFunctionconstructor, which can create functions from strings.- In which context is a function created with this evaluated?