Attack a docker container host which is protected by client SSL certificates.


I didn’t take any photos for this, but the solution had a few options:

  • Attack the web API interface.
  • Attack the docker commandline connection via docker -H --tls.

I chose to attack the web API, since the included PFX file was the fastest to install in Chrome. But first, where is it?

For this, nmap is your friend. Since this is a CTF environment, we don’t care about detection and can run an aggressive scan across all 65536 ports. It found an open port of 5515, trying this on HTTPS, gives a page asking for the certificate to confirm identity.

Exploring the docker API, via /containers/json gave a list of all containers.

The flag was in the start command of a third container.