Compromising Splunk
This page will discuss how to build a test environment to practice compromising splunk
Ever so often i will come across a Splunk server that is either using default/weak credentials or started off as an Enterprise trial and downgraded to the free edition.
The Enterprise trial downgraded to free edition is the most interesting because it doesn't prompt for authentication and simply goes straight to the main page 😈
Building the test environment
Windows operating system. I'm using server 2012 R2 but any windows server/desktop OS should work
Splunk which can be downloaded from https://download.splunk.com/products/splunk/releases/7.1.1/windows/splunk-7.1.1-8f0ead9ec3db-x64-release.msi
Use the below PowerShell script to automate the install process.
function Install-Splunk {
[cmdletbinding()]
param(
[Parameter(HelpMessage = "Enter Splunk MSI URL, defaults to downloading 7.1.1")]
[string]$SplunkUrl,
[Parameter(HelpMessage = "Enter splunk password: Defaults to changeme")]
[string]$SplunkPassword
)
if ($SplunkUrl) {
$SplunkMSI = Split-Path $SplunkUrl -Leaf
$SplunkPath = "C:\Windows\Temp\$SplunkMSI"
Write-Host -ForegroundColor Green "[+] Downloading splunk from $SplunkUrl and saving to $SplunkPath"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
(New-Object System.Net.WebClient).DownloadFile($SplunkUrl, $SplunkPath)
}
if (!($SplunkUrl)) {
$SplunkUrl = "https://download.splunk.com/products/splunk/releases/7.1.1/windows/splunk-7.1.1-8f0ead9ec3db-x64-release.msi"
$SplunkPath = "C:\windows\temp\splunk-7.1.1-8f0ead9ec3db-x64-release.msi"
Write-Host -ForegroundColor Green "[-] Defaulting to downloading Version 7.1.1"
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
(New-Object System.Net.WebClient).DownloadFile($SplunkUrl, $SplunkPath)
}
if ($SplunkPassword) {
Write-Host -ForegroundColor Green "[+] Setting password to $SplunkPassword"
}
else {
Write-Host -ForegroundColor Green "[-] Defaulting password to changeme"
$SplunkPassword = "changeme"
}
Write-Host -ForegroundColor Green "[+] Installing Splunk"
Start-Process -Wait C:\Windows\System32\msiexec.exe -ArgumentList "/I $SplunkPath AGREETOLICENSE=Yes SPLUNKPASSWORD=$SplunkPassword /passive" -PassThru
Write-Host "Splunk installation complete!"
4. To use version 7.1.1 (version in this example) and the default password simply run the script and it will set everything to the defaults.
Last updated
Was this helpful?