From ef85d7fdd501edd6ff5704a01b2d7f1e1bd92612 Mon Sep 17 00:00:00 2001
From: Carlos Polop <carlospolop@gmail.com>
Date: Fri, 14 Feb 2025 19:18:28 +0100
Subject: [PATCH] unauth container registry

---
 src/SUMMARY.md                                |  1 +
 .../az-services/az-container-registry.md      |  8 +++++-
 .../az-container-registry-unauth.md           | 26 +++++++++++++++++++
 3 files changed, 34 insertions(+), 1 deletion(-)
 create mode 100644 src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-container-registry-unauth.md

diff --git a/src/SUMMARY.md b/src/SUMMARY.md
index c1ddfd787..478e28676 100644
--- a/src/SUMMARY.md
+++ b/src/SUMMARY.md
@@ -400,6 +400,7 @@
     - [Az - Tokens & Public Applications](pentesting-cloud/azure-security/az-basic-information/az-tokens-and-public-applications.md)
   - [Az - Enumeration Tools](pentesting-cloud/azure-security/az-enumeration-tools.md)
   - [Az - Unauthenticated Enum & Initial Entry](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/README.md)
+    - [Az - Container Registry Unauth](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-container-registry-unauth.md)
     - [Az - OAuth Apps Phishing](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-oauth-apps-phishing.md)
     - [Az - Storage Unauth](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-storage-unauth.md)
     - [Az - VMs Unauth](pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-vms-unauth.md)
diff --git a/src/pentesting-cloud/azure-security/az-services/az-container-registry.md b/src/pentesting-cloud/azure-security/az-services/az-container-registry.md
index d42bcdcb4..ea17d2d86 100644
--- a/src/pentesting-cloud/azure-security/az-services/az-container-registry.md
+++ b/src/pentesting-cloud/azure-security/az-services/az-container-registry.md
@@ -31,7 +31,7 @@ There are 4 ways to authenticate to an ACR:
 
 - **With Entra ID**: This is the **default** way to authenticate to an ACR. It uses the **`az acr login`** command to authenticate to the ACR. This command will **store the credentials** in the **`~/.docker/config.json`** file. Moreover, if you are running this command from an environment without access to a docker socket like in a **cloud shell**, it's possible to use the **`--expose-token`** flag to get the **token** to authenticate to the ACR. Then to authenticate you need to use as user name `00000000-0000-0000-0000-000000000000` like: `docker login myregistry.azurecr.io --username 00000000-0000-0000-0000-000000000000 --password-stdin <<< $TOKEN`
 - **With an admin account**: The admin user is disabled by default but it can be enabled and then it'll be possible to access the registry with the **username** and **password** of the admin account with full permissions to the registry. This is still supported because some Azure services use it. Note that **2 passwords** are created for this user and both are valid. You can enable it with `az acr update -n <acrName> --admin-enabled true`. Note that the username is usually yhe registry name (and not `admin`).
-- **With a token**: It's possible to create a **token** with a **specific `scope map`** (permissions) to access the registry. Then, it's possible to use this token name as username and some of the generated password to authenticate to the registry with `docker login -u <registry-name> -p <password> aregistry-url>`
+- **With a token**: It's possible to create a **token** with a **specific `scope map`** (permissions) to access the registry. Then, it's possible to use the name of the token as username and any of the generated passwords to authenticate to the registry with `docker login -u <registry-name> -p <password> <registry-url>`
 - **With a Service Principal**: It's possible to create a **service principal** and assign a role like **`AcrPull`** to pull images. Then, it'll be possible to **login to the registry** using the SP appId as username and a generated secret as password.
 
 Example script from the [docs](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal) to generate a SP with access over a registry:
@@ -149,6 +149,12 @@ az acr cache list --registry <registry-name>
 az acr cache show --name <cache-name> --registry <registry-name>
 ```
 
+## Unauthenticated Access
+
+{{#ref}}
+../az-unauthenticated-enum-and-initial-entry/az-container-registry-unauth.md
+{{#endref}}
+
 ## Privilege Escalation & Post Exploitation
 
 {{#ref}}
diff --git a/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-container-registry-unauth.md b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-container-registry-unauth.md
new file mode 100644
index 000000000..2aedfdda3
--- /dev/null
+++ b/src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-container-registry-unauth.md
@@ -0,0 +1,26 @@
+# Az - Container Registry Unauth
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Container Registry Unauth
+
+For more information about conteiner registry check:
+
+{{#ref}}
+../az-services/az-container-registry.md
+{{#endref}}
+
+### Anonymous Pull Access
+
+It's possible to **allow anonymous pull access to images** inside a registry. 
+
+```bash
+# Authorize anonymous pulls
+az acr update --name <registry-name> --anonymous-pull-enabled true
+```
+
+Then, **anyone knowing the registry name** can pull images from `<registry-name>.azurecr.io`.
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+