Splunk
Splunk is a web interface for searching, monitoring, and analyzing machine-generated data in real-time. It's often used as a SIEM.
It's a paid software. There is a 60-days free trial for companies.
Ports π²: 8000 (TCP/HTTPS), 8089 (TCP/Splunkd)
The splunkbase website is the official website to browse for add-ons to extend Splunk usually for a specific usage.
Splunk Pentester Notes β οΈ
Enumeration
- Navigate to
Help > About > Version
to find the version (logged)
Foothold
-
There is no authentication in the free version. If a trial version that has expired is still installed, if becomes a free version.
-
Default credentials are
admin:changeme
in older versions. For newer versions, the password is set at install.
Exploitation
There are multiple ways of running code. We can use scripted input such as with reverse_shell_splunk (0.03k β, 2018 πͺ¦).
To target a Windows host, we need to configure the run.ps1
script.
$ git clone https://github.com/0xjpuff/reverse_shell_splunk
$ cd reverse_shell_splunk/
$ nano reverse_shell_splunk/bin/run.ps1
$ tar -cvzf updater.tar.gz reverse_shell_splunk
Navigate to Apps > Edit, and click on "install app from file."
β‘οΈ See also: use exploit/multi/http/splunk_upload_app_exec
.
β‘οΈ For persistence, we may configure the schedule of the scripted input. If the server is a deployment server, and if target hosts have an Universal Forwarders
we may be able to compromise them.
π» To-do π»
Stuff that I found, but never read/used yet.
- Splunkd, Splunk management, communication with Splunk REST API