gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2026-02-05 11:26:11 -08:00
Code Issues Packages Projects Releases Wiki Activity
Files
ecb7b8f136d2840fad70d6810fda4b515e021ca3
hacktricks-cloud/src/pentesting-cloud/aws-security/aws-unauthenticated-enum-access/aws-ecr-unauthenticated-enum.md
Carlos Polop 716aa06779 translate 2
2025-01-01 23:55:27 +01:00

1.3 KiB
Raw Blame History

AWS - ECR Unauthenticated Enum

{{#include ../../../banners/hacktricks-training.md}}

ECR

For more information check:

{{#ref}} ../aws-services/aws-ecr-enum.md {{#endref}}

Public registry repositories (images)

As mentioned in the ECS Enum section, a public registry is accessible by anyone uses the format public.ecr.aws/<random>/<name>. If a public repository URL is located by an attacker he could download the image and search for sensitive information in the metadata and content of the image.

aws ecr describe-repositories --query 'repositories[?repositoryUriPublic == `true`].repositoryName' --output text

Warning

This could also happen in private registries where a registry policy or a repository policy is granting access for example to "AWS": "*". Anyone with an AWS account could access that repo.

Enumerate Private Repo

The tools skopeo and crane can be used to list accessible repositories inside a private registry.

# Get image names
skopeo list-tags docker://<PRIVATE_REGISTRY_URL> | grep -oP '(?<=^Name: ).+'
crane ls <PRIVATE_REGISTRY_URL> | sed 's/ .*//'

{{#include ../../../banners/hacktricks-training.md}}

Reference in New Issue View Git Blame Copy Permalink