This is a story of a Docker registry that was exploited to get access to the complete Filesystem.
According to Docker,
Docker Registry : The Docker Registry is a stateless, highly scalable server-side application that stores and lets you distribute Docker images. There are two versions, v1 and v2, and a major bug we have in these versions is that by default there's no authentication.
You should use the Registry if you want to:
- tightly control where your images are being stored
- fully own your images distribution pipeline
- integrate image storage and distribution tightly into your in-house development workflow
TL;DR In this Pentest, a Docker Registry Version 2 was found on one of the open ports and was exploited to download the full filesystem.
Below is a complete approach as to how this was achieved.
For confidentiality, we'll call the URL of our target as targetdock.com
NMAP
nmap -A -v -T4 targetdock.com -Pn

Running a quick nmap scan reveled an open port which was interesting. Although it was unable to identify the service correctly. Also tried with netcat but it was of no use.

nc -v targetdock.com 32768

http://targetdock.com:32768/v2
which showed me a blank JSON response. Checked the response headers and found an interesting header.

Docker-Distribution-Api-Version: registry/2.0
We have found ourselves a Docker Registry v2. Now by default, Docker registry generally does not have any authentication. So now comes the exploitation part. ## Exploitation Went to the following URL to show available repositories:
http://targetdock.com:32768/v2/_catalog

http://targetdock.com:32768/v2/random-test-image/tags/list

http://targetdock.com:32768/v2/random-test-image/tags/list
This will give us a Manifest file like the one shown below.

http://targetdock.com:32768/v2/random-test-image/blobs/sha256:fc7181108d403205fda45b28dbddfa1cf07e772fa41244e44f53a341b8b1893d
It'll give us a gzip compressed file which will give us the actual data after extraction. Now you can manually browse for any sensitive info which might be there in those blobs.
Every one of those blobSum's had different contents. And, I found the one with the whole Filesystem in it.

This is just an example of how harmful this bug can be, considering that there were 4 more repositories with a lot of blobs in their manifests. Imagine the amount of information exposed.
There's also a script available to automate the whole process, you can get it from here: https://github.com/NotSoSecure/docker_fetch/ .
References
https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/
https://docs.docker.com/registry/