Dell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well. It comes configured with a default username and password of “foglight”.
It is possible to execute code on the host itself through an integrated scripting console.
By browsing to Homes -> Administration
And then browsing to Investigate -> Data -> Script Console
Under the “Scripts” tab, click the [+] Add button.
From here you can enter any groovy code and execute it on the host. A simple way to execute commands is by using:
"cmd.exe /c ".execute
or
"powershell.exe -NoP -NonI -W Hidden -Enc".execute
This is a good place to swap in your Powershell Empire or Metasploit Web Delivery stage 0 payload.
Foglight also has the ability to execute code on the devices which it manages.
By browsing to Homes -> Automation
And then browsing to the Workflow Management tab and clicking the [+] New button.
When within the Workflow Studio click All ActionPacks -> Common -> Scripting
Here you will see a few choices:
- Run PowerShell Script
- Send and Run Command(s)
- Send and Run PowerShell script
I was not able to create a functional workflow, however with this it is likely possible to push a malicious workflow to all managed devices.
One other notable feature of Foglight is that it stores credentials.
By browsing to Dashboards-> Administration -> Credentials
and then click Manage Credentials.
According to the Foglight UI, “A lockbox contains a collection of encrypted credentials and the keys for their encryption and decryption.” While there does not seem to be a way to extract the credential plaintext thorough the UI, it is likely possible to compromise and decrypt these stored credentials once the host is compromised.
