Microsoft Dynamics Container Sandbox RCE via Unauthenticated Docker Remote API 20,000$ Bounty

Microsoft Stating that Production data can be uploaded to the sandboxed environment

Steps To Reproduce the Remote Code Execution on Dynamics Container Sandbox:

as we already know, the docker remote API can be used for different types of actions, such as providing information about running containers.

Docker Remote API Provides information about running container(s).

Save the file with the extension of .ps1

2.2: Now that the reverse shell payload is ready, host the PowerShell script on any external web service.

Getting ready for Reverse Shell connections
A successful operation of exec endpoint will provide output of an ID that we will use in the next step to initiate the command on the container. Keep this ID.
The Output from the Curl command used to download the reverse shell. this output means that the payload was downloaded successfully to the container into C:\\Run\\script.ps1
After the Start endpoint was hit, I Immediately received a connection to my C&C server from the Dynamics Container Sandbox.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store