This is a story of a Docker registry which was exploited to get access to complete Filesystem.
According to Docker,
Docker Registry: The Docker Registry is a stateless, highly scalable server side application that stores and lets you distribute Docker images. There are two versions, v1 and v2, and a major bug we have in these versions is that by default there's no authentication.
You should use the Registry if you want to:
- tightly control where your images are being stored
- fully own your images distribution pipeline
- integrate image storage and distribution tightly into your in-house development workflow
TL;DR In this Pentest, a Docker Registry Version 2 was found on one of the open ports and was exploited to download the full filesystem.
Below is a complete approach as to how this was achieved.
For confidentiality, we'll call the URL of our target as targetdock.com
nmap -A -v -T4 targetdock.com -Pn
Running a quick nmap scan reveled an open port which was interesting. Although it was unable to identify the service correctly. Also tried with netcat but it was of no use.
When all this failed, opened it normally in the browser and ran gobuster on the server to see if any hidden directories are there which might be serving an application.
Got a directory
http://targetdock.com:32768/v2 which showed me a blank JSON response. Checked the response headers and found an interesting header.
Notice the fourth header,
We have found ourselves a Docker Registry v2.
Now by default, Docker registry generally does not have any authentication. So now comes the exploitation part.
Went to the following URL to show available repositories:
I'll try to get info from the 5th repository, Lets call it random-test-image.
Now we have to find the tags for this repo that we have selected. We'll do it using the following URL:
There's only one tag called latest. We'll download the Manifest file to view the blobs. Here's the URL to do it:
This will give us a Manifest file like the one shown below.
Now all we have to do is copy the contents of one of the blobSum and use it to download it with:
It'll give us a gzip compressed file which will give us the actual data after extraction. Now you can manually browse for any sensitive info which might be there in those blobs.
Every one of those blobSum's had different contents. And, I found the one with the whole Filesystem in it.
This is just an example of how harmful this bug can be, considering that there were 4 more repositories with a lot of blobs in their manifests. Imagine the amount of information exposed.
There's also a script available to automate the whole process, you can get it from here: https://github.com/NotSoSecure/docker_fetch/ .