TLDRBins TLDRBins / Docker Registry

Usage Tips:

  • Click on a keyword to enable inline editing.
  • Click inside a code block to copy (excludes comments).
  • Use the button to view examples.
  • Click outside to collapse all examples.

Docker Registry API

# List repos
curl -s -k --user "<USER>:<PASSWORD>" <TARGET>/v2/_catalog

Sample Output:
$ curl -s -k --user "admin:admin" https://docker.registry.htb/v2/_catalog
{"repositories":["bolt-image"]}

# List of tags of this repo
curl -s -k --user "<USER>:<PASSWORD>" <TARGET>/v2/<REPO_NAME>/tags/list

Sample Output:
$ curl -s -k --user "admin:admin" https://docker.registry.htb/v2/bolt-image/tags/list
{"name":"bolt-image","tags":["latest"]}

# List manifest file for this tag (e.g. latest)
curl -s -k --user "<USER>:<PASSWORD>" <TARGET>/v2/<REPO_NAME>/manifests/<TAG>

Sample Output:
$ curl -s -k --user "admin:admin" https://docker.registry.htb/v2/bolt-image/manifests/latest
{
   "schemaVersion": 1,
   "name": "bolt-image",
   "tag": "latest",
   "architecture": "amd64",
   "fsLayers": [
      {
         "blobSum": "sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b"
      },
      {
         "blobSum": "sha256:3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee"
      },
      {
         "blobSum": "sha256:02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c"
      },
      ...[SNIP]...
}

# Get a commit of the image
curl -s -k --user "<USER>:<PASSWORD>" <TARGET>/v2/<REPO_NAME>/blobs/sha256:<BLOB_HASH> > <BLOB_HASH>.tar.gz

Sample Output:
$ curl -s -k --user "admin:admin" https://docker.registry.htb/v2/bolt-image/blobs/sha256:302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b > 302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b.tar.gz

Docker Registry Dump

# List repos
python3 drg.py <TARGET> -p <PORT> -U '<USER>' -P '<PASSWORD>' --list

Sample Output:
$ python3 drg.py https://docker.registry.htb -p 443 -U 'admin' -P 'admin' --list
[+] bolt-image

# Dump repo
python3 drg.py <TARGET> -p <PORT> -U '<USER>' -P '<PASSWORD>' --dump <REPO_NAME>

Sample Output:
$ python3 drg.py https://docker.registry.htb -p 443 -U 'admin' -P 'admin' --dump bolt-image
[+] BlobSum found 10
[+] Dumping bolt-image
    [+] Downloading : 302bfcb3f10c386a25a58913917257bd2fe772127e36645192fa35e4c6b3c66b
    [+] Downloading : 3f12770883a63c833eab7652242d55a95aea6e2ecd09e21c29d7d7b354f3d4ee
    [+] Downloading : 02666a14e1b55276ecb9812747cb1a95b78056f1d202b087d71096ca0b58c98c
    [+] Downloading : c71b0b975ab8204bb66f2b659fa3d568f2d164a620159fc9f9f185d958c352a7
...[SNIP]...

Ref: DockerRegistryGrabber