Ox Remote Code Execution II
This exercise covers how you can gain code execution when an application is using Ox to deserialize data and is running on Ruby 2.7
This lab focuses on exploiting Ruby deserialization vulnerabilities by porting a new payload, compatible with recent Ruby versions, to the Optimized XML (Ox) serialization library. The original payload used for code execution via Marshal.load(...) no longer works with Ruby 2.7.x, but William Bowling's new payload provides a solution. You will use this payload to gain code execution in the context of Ox, addressing the challenge of Ox not supporting modules like Kernel.
The exploitation process involves crafting a series of gadgets that ultimately invoke the Kernel.system(...) method. However, since Ox does not support modules, you need to find alternative methods to access the required functionality. Similar methodologies from previous Ox RCE challenges can be employed. Additionally, you must handle arrays and individual elements correctly, as the application processes them differently by calling either to_s or inspect() methods.