This exercise details the exploitation of CVE-2019-5418 to get code execution

1-2 Hrs.
Green Badge


The course begins by emphasizing the need to solve foundational exercises like `ruby_ugadget` and `CVE-2019-5420` to understand the full scope of the challenge. It explains how an attacker can manipulate the `Accept` header to read critical files such as `config/master.key` and `config/credentials.yml.enc`, and then use these files to decrypt session data and ultimately gain code execution. The vulnerability arises because Rails trusts the `Accept` header and concatenates it to a string used as a Glob, allowing directory traversal attacks.

The course also covers the intricacies of Rails' caching mechanisms and how they can impact an attack, noting that caching has been disabled for this exercise to simplify exploitation. It provides detailed steps on decrypting session data and forging a payload using `Marshal` to achieve code execution. The course concludes by highlighting the importance of understanding session serialization and the potential risks of running applications in development mode on the internet.

Want to learn more? Get started with PentesterLab Pro! GO PRO