unauth container registry

src/pentesting-cloud/azure-security/az-services/az-container-registry.md

@@ -31,7 +31,7 @@ There are 4 ways to authenticate to an ACR:
 
 - **With Entra ID**: This is the **default** way to authenticate to an ACR. It uses the **`az acr login`** command to authenticate to the ACR. This command will **store the credentials** in the **`~/.docker/config.json`** file. Moreover, if you are running this command from an environment without access to a docker socket like in a **cloud shell**, it's possible to use the **`--expose-token`** flag to get the **token** to authenticate to the ACR. Then to authenticate you need to use as user name `00000000-0000-0000-0000-000000000000` like: `docker login myregistry.azurecr.io --username 00000000-0000-0000-0000-000000000000 --password-stdin <<< $TOKEN`
 - **With an admin account**: The admin user is disabled by default but it can be enabled and then it'll be possible to access the registry with the **username** and **password** of the admin account with full permissions to the registry. This is still supported because some Azure services use it. Note that **2 passwords** are created for this user and both are valid. You can enable it with `az acr update -n <acrName> --admin-enabled true`. Note that the username is usually yhe registry name (and not `admin`).
-- **With a token**: It's possible to create a **token** with a **specific `scope map`** (permissions) to access the registry. Then, it's possible to use this token name as username and some of the generated password to authenticate to the registry with `docker login -u <registry-name> -p <password> aregistry-url>`
+- **With a token**: It's possible to create a **token** with a **specific `scope map`** (permissions) to access the registry. Then, it's possible to use the name of the token as username and any of the generated passwords to authenticate to the registry with `docker login -u <registry-name> -p <password> <registry-url>`
 - **With a Service Principal**: It's possible to create a **service principal** and assign a role like **`AcrPull`** to pull images. Then, it'll be possible to **login to the registry** using the SP appId as username and a generated secret as password.
 
 Example script from the [docs](https://learn.microsoft.com/en-us/azure/container-registry/container-registry-auth-service-principal) to generate a SP with access over a registry:
@@ -149,6 +149,12 @@ az acr cache list --registry <registry-name>
 az acr cache show --name <cache-name> --registry <registry-name>
 ```
 
+## Unauthenticated Access
+
+{{#ref}}
+../az-unauthenticated-enum-and-initial-entry/az-container-registry-unauth.md
+{{#endref}}
+
 ## Privilege Escalation & Post Exploitation
 
 {{#ref}}

src/pentesting-cloud/azure-security/az-unauthenticated-enum-and-initial-entry/az-container-registry-unauth.md

@@ -0,0 +1,26 @@
+# Az - Container Registry Unauth
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+## Container Registry Unauth
+
+For more information about conteiner registry check:
+
+{{#ref}}
+../az-services/az-container-registry.md
+{{#endref}}
+
+### Anonymous Pull Access
+
+It's possible to **allow anonymous pull access to images** inside a registry. 
+
+```bash
+# Authorize anonymous pulls
+az acr update --name <registry-name> --anonymous-pull-enabled true
+```
+
+Then, **anyone knowing the registry name** can pull images from `<registry-name>.azurecr.io`.
+
+{{#include ../../../banners/hacktricks-training.md}}
+
+