Lab: Exploiting Ruby deserialization using a documented gadget chain
This lab uses a serialization-based session mechanism and the Ruby on Rails framework. There is a documented exploit that enables remote code execution via a gadget chain in this framework.
To solve the lab, find a documented exploit and adapt it to create a malicious serialized object containing a remote code execution payload. Then, pass this object into the website to delete the
morale.txt file from Carlos's home directory.
- Log in to your own account and notice that the session cookie contains a serialized ("marshaled") Ruby object. Send a request containing this session cookie to Burp Repeater.
- Browse the web to find the "Ruby 2.x Universal RCE Gadget Chain" by Luke Jahnke.
Copy the script for generating the payload, and change the command that should be executed from
rm /home/carlos/morale.txtand run the script. This will generate a serialized object containing the payload. The output contains both a hexadecimal and Base64-encoded version of the object.
- Copy the Base64-encoded object.
- URL-encode the object and, in Burp Repeater, replace your session cookie with the malicious one that you just created.
- Send the request to solve the lab.