This is a story of a Docker registry which was exploited to get access to complete Filesystem.

According to Docker,

Docker Registry: The Docker Registry is a stateless, highly scalable server side application that stores and lets you distribute Docker images. There are two versions, v1 and v2, and a major bug we have in these versions is that by default there's no authentication.
You should use the Registry if you want to:

  • tightly control where your images are being stored
  • fully own your images distribution pipeline
  • integrate image storage and distribution tightly into your in-house development workflow

TL;DR In this Pentest, a Docker Registry Version 2 was found on one of the open ports and was exploited to download the full filesystem.

Below is a complete approach as to how this was achieved.
For confidentiality, we'll call the URL of our target as targetdock.com

NMAP

nmap -A -v -T4 targetdock.com -Pn

Nmap

Running a quick nmap scan reveled an open port which was interesting. Although it was unable to identify the service correctly. Also tried with netcat but it was of no use.

nc -v targetdock.com 32768

Gobuster

When all this failed, opened it normally in the browser and ran gobuster on the server to see if any hidden directories are there which might be serving an application.

Gobuster

Got a directory http://targetdock.com:32768/v2 which showed me a blank JSON response. Checked the response headers and found an interesting header.

Response Headers

Notice the fourth header, Docker-Distribution-Api-Version: registry/2.0
We have found ourselves a Docker Registry v2.

Now by default, Docker registry generally does not have any authentication. So now comes the exploitation part.

Exploitation

Went to the following URL to show available repositories:
http://targetdock.com:32768/v2/_catalog

Repositories/Images

I'll try to get info from the 5th repository, Lets call it random-test-image.

Now we have to find the tags for this repo that we have selected. We'll do it using the following URL: http://targetdock.com:32768/v2/random-test-image/tags/list

Tags

There's only one tag called latest. We'll download the Manifest file to view the blobs. Here's the URL to do it: http://targetdock.com:32768/v2/random-test-image/tags/list

This will give us a Manifest file like the one shown below.

Manifest

Now all we have to do is copy the contents of one of the blobSum and use it to download it with: http://targetdock.com:32768/v2/random-test-image/blobs/sha256:fc7181108d403205fda45b28dbddfa1cf07e772fa41244e44f53a341b8b1893d

It'll give us a gzip compressed file which will give us the actual data after extraction. Now you can manually browse for any sensitive info which might be there in those blobs.

Every one of those blobSum's had different contents. And, I found the one with the whole Filesystem in it.

Blob Data

This is just an example of how harmful this bug can be, considering that there were 4 more repositories with a lot of blobs in their manifests. Imagine the amount of information exposed.

There's also a script available to automate the whole process, you can get it from here: https://github.com/NotSoSecure/docker_fetch/ .


References:
https://www.notsosecure.com/anatomy-of-a-hack-docker-registry/
https://docs.docker.com/registry/