Artifactory Pentesting
Last updated
Was this helpful?
Last updated
Was this helpful?
Theory
is a widely used binary repository manager that serves as a central hub for managing, storing, and distributing software, binaries, artifacts and dependencies. It supports multiple package types and integrates seamlessly with build tools, CI/CD pipelines, and DevOps workflows.
From an attacker's perspective, this centralization and trust make Artifactory a high-value target. By compromising the server, we can can introduce malicious artifacts that propagate through the development pipeline, enabling supply chain attacks.
Additionally, Artifactory often contains sensitive information, such as API keys, authentication tokens, and embedded secrets within binaries or configuration files, which we may exfiltrate or use to escalate privileges or pivot to other systems.
Artifactory's web interface run by default on port 8081.
Artifactory’s default accounts are:
admin
password
common administration account
access-admin
password (<6.8.0) or a random value (>= 6.8.0)
used for local administration operations only
anonymous
’’
anonymous user to retrieve packages remotely, not enabled by default
If you have administrative/write access to a repository, you can upload a malicious file to replace an original one.
First, enumerate repositories
Once we found a interesting file to backdor (e.g http://<TARGET>:8081/artifactory/api/storage/SimpleRepo/app.exe
)
We can replace the file as follows
The following are only useful once we have achieved remote code execution or arbitrary file read on the server.
We can copy the database (as artificers usually lock database files) and access the copy to retrieve sensitive information.