Dell Foglight for Virtualization is an infrastructure performance monitoring tool that can also be used to manage systems as well. It comes configured with a default username and password of “foglight.”

It is possible to execute code on the host itself through an integrated scripting console.

By browsing to Homes -> Administration



click to enlarge image

And then browsing to Investigate -> Data -> Script Console

Under the “Scripts” tab, click the [+] Add button.

From here you can enter any groovy code and execute it on the host. A simple way to execute commands is by using:

"cmd.exe /c ".execute

or

"powershell.exe -NoP -NonI -W Hidden -Enc".execute

This is a good place to swap in your Powershell Empire or Metasploit Web Delivery stage 0 payload.

click to enlarge image

Foglight can also execute code on the devices it manages.

By browsing to Homes -> Automation

And then browsing to the Workflow Management tab and clicking the [+] New button.

When in the Workflow Studio, click All ActionPacks -> Common -> Scripting

Here you will see a few choices:

Run PowerShell Script

Send and Run Command(s)

Send and Run PowerShell script

I was not able to create a functional workflow, however with this, it is likely possible to push a malicious workflow to all managed devices.

One other notable feature of Foglight is that it stores credentials.

By browsing to Dashboards-> Administration -> Credentials

and then click Manage Credentials.

According to the Foglight UI, “A lockbox contains a collection of encrypted credentials and the keys for their encryption and decryption.” While there does not seem to be a way to extract the credential plaintext thorough the UI, it is likely possible to compromise and decrypt these stored credentials once the host is compromised.