Exploiting Private Registry via Misconfiguration - Scenario
Bob's company has deployed a new mail application for them to use. Alas, this application is riddled with bugs! Most of which arise from default configurations and poor programming practices. There has been speculation that the internal team did not even remove the readme file for this application!
In any case, as an attacker you know that the application is deployed using docker. Can we use a vulnerability to read files that we are not meant to and see what the docker private registry looks like? Who knows what secrets you may find!
Tips
- Endpoint for your attack is
http://mailbox-service.student-uniquename.cloudsec.training. Replaceuniquenamewith your unique name - The login credentials for the application are
username: bobandpassword: bobmailbox README.mdexists- The app is vulnerable to
LFI