InfoSec LAB

Doctor_Splunk

Created: 2 min read

Splunk

Splunk is a log analytics tool used to gather, analyze and visualize data. Though not originally intended to be a SIEM tool, Splunk is often used for security monitoring and business analytics. Splunk deployments are often used to house sensitive data and could provide a wealth of information for an attacker if compromised.

It was initially discovered that the target system is running an instance of Splunk 8.0.5 on the port 8089 over SSL Later, I was able to find the exact process as well

shaun@doctor:/opt$ ll
total 16
drwxr-xr-x  4 root   root   4096 Sep  6  2020 ./
drwxr-xr-x 20 root   root   4096 Sep 15  2020 ../
drwxrwxr-x  2 root   root   4096 Sep  7  2020 clean/
drwxr-xr-x  9 splunk splunk 4096 mär  9 11:51 splunkforwarder/

The /opt directory has a sub-directory that seems to be the home directory of the Splunk instance as the name suggests

shaun@doctor:/opt/splunkforwarder$ ll
total 180
drwxr-xr-x  9 splunk splunk  4096 mär  9 11:51 ./
drwxr-xr-x  4 root   root    4096 Sep  6  2020 ../
drwxr-xr-x  3 splunk splunk  4096 Sep  6  2020 bin/
-r--r--r--  1 splunk splunk    57 Jul  8  2020 copyright.txt
drwxr-xr-x 13 splunk splunk  4096 Sep 28  2020 etc/
drwxr-xr-x  2 splunk splunk  4096 Sep  6  2020 include/
drwxr-xr-x  5 splunk splunk  4096 Sep  6  2020 lib/
-r--r--r--  1 splunk splunk 85709 Jul  8  2020 license-eula.txt
drwxr-xr-x  3 splunk splunk  4096 Sep  6  2020 openssl/
-r--r--r--  1 splunk splunk   841 Jul  8  2020 README-splunk.txt
drwxr-xr-x  4 splunk splunk  4096 Sep  6  2020 share/
-r--r--r--  1 splunk splunk 50969 Jul  8  2020 splunkforwarder-8.0.5-a1a6394cc5ae-linux-2.6-x86_64-manifest
drwx--x---  6 root   root    4096 Sep  6  2020 var/

I am unable to read pretty much all the important files.

Then I realized that there is a web GUI. I was unable to proceed forward as some of these require authentication

Since I got a credential and was able to validate it by making a lateral movement, I will test for password reuse again here

I was able to log in using the credential of the shaun user. Password reuse is confirm here again.

The thing with Splunk is that once I know any valid credentials, you can abuse the Splunk service to execute a shell as the user running Splunk. If root is running it, I can escalate privileges to root.

Moving on Privilege Escalation

Interactive Graph View

Backlinks