HackTricks Cloud
HackTricks Training Twitter Linkedin Sponsor

AWS - ECR Unauthenticated Enum

Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

ECR

For more information check:

pageAWS - ECR Enum

Public registry repositories (images)

As mentioned in the ECS Enum section, a public registry is accessible by anyone uses the format public.ecr.aws/<random>/<name>. If a public repository URL is located by an attacker he could download the image and search for sensitive information in the metadata and content of the image.

aws ecr describe-repositories --query 'repositories[?repositoryUriPublic == `true`].repositoryName' --output text

This could also happen in private registries where a registry policy or a repository policy is granting access for example to "AWS": "*". Anyone with an AWS account could access that repo.

Enumerate Private Repo

The tools skopeo and crane can be used to list accessible repositories inside a private registry.

# Get image names
skopeo list-tags docker://<PRIVATE_REGISTRY_URL> | grep -oP '(?<=^Name: ).+'
crane ls <PRIVATE_REGISTRY_URL> | sed 's/ .*//'
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!

Other ways to support HackTricks:

PreviousAWS - EC2 Unauthenticated EnumNextAWS - ECS Unauthenticated Enum

Last updated