Ox Remote Code Execution II

This exercise covers how you can gain code execution when an application using Ox to deserialize data and run on Ruby 2.7

2-4 Hrs.
Brown Badge


This lab focuses on exploiting Ruby deserialization vulnerabilities by porting a new payload, compatible with recent Ruby versions, to the Optimized XML (Ox) serialization library. The original payload used for code execution via `Marshal.load(...)` no longer works with Ruby 2.7.x, but William Bowling's new payload provides a solution. You will use this payload to gain code execution in the context of Ox, addressing the challenge of Ox not supporting modules like `Kernel`.

The exploitation process involves crafting a series of gadgets that ultimately invoke the `Kernel.system(...)` method. However, since Ox does not support modules, you need to find alternative methods to access the required functionality. Similar methodologies from previous Ox RCE challenges can be employed. Additionally, you must handle arrays and individual elements correctly, as the application processes them differently by calling either `to_s` or `inspect()` methods.

Want to learn more? Get started with PentesterLab Pro! GO PRO