HackTricks CloudAWS - ECR Unauthenticated Enum
Tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking:HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
ECR
For more information check:
Public registry repositories (images)
As mentioned in the ECS Enum section, a public registry is accessible by anyone uses the format public.ecr.aws/<random>/<name>. If a public repository URL is located by an attacker he could download the image and search for sensitive information in the metadata and content of the image.
aws ecr describe-repositories --query 'repositories[?repositoryUriPublic == `true`].repositoryName' --output text
Warning
This could also happen in private registries where a registry policy or a repository policy is granting access for example to
"AWS": "*". Anyone with an AWS account could access that repo.
Enumerate Private Repo
The tools skopeo and crane can be used to list accessible repositories inside a private registry.
# Get image names
skopeo list-tags docker://<PRIVATE_REGISTRY_URL> | grep -oP '(?<=^Name: ).+'
crane ls <PRIVATE_REGISTRY_URL> | sed 's/ .*//'
Tip
Learn & practice AWS Hacking:
Learn & practice GCP Hacking:
Learn & practice Az Hacking:Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.