Ox Remote Code Execution II

This exercise covers how you can gain code execution when an application is using Ox to deserialize data and is running on Ruby 2.7

PRO
Tier
Hard
2-4 Hrs.
25
Brown Badge

This lab focuses on exploiting Ruby deserialization vulnerabilities by porting a new payload, compatible with recent Ruby versions, to the Optimized XML (Ox) serialization library. The original payload used for code execution via Marshal.load(...) no longer works with Ruby 2.7.x, but William Bowling's new payload provides a solution. You will use this payload to gain code execution in the context of Ox, addressing the challenge of Ox not supporting modules like Kernel.

The exploitation process involves crafting a series of gadgets that ultimately invoke the Kernel.system(...) method. However, since Ox does not support modules, you need to find alternative methods to access the required functionality. Similar methodologies from previous Ox RCE challenges can be employed. Additionally, you must handle arrays and individual elements correctly, as the application processes them differently by calling either to_s or inspect() methods.

Want to learn more? Get started with PentesterLab Pro! GOPRO