Docker Registry Pentesting

Last modified: 2023-01-28


Docker Registry is a steteless, highly scalable server side application that stores and lets you distribute Docker images. A default port is 5000.


# We can download the manifest given tag.

Extract Layers

If we download the manifest with the above, see the content and blobsums (sha256:abcd...) in fsLayers.

curl -so 1.tar
tar -xvf 1.tar

After extracting tar files, investigate files or directories to find the sensitive information.