search

Compromising Splunk

This page will discuss how to build a test environment to practice compromising splunk

Ever so often i will come across a Splunk server that is either using default/weak credentials or started off as an Enterprise trial and downgraded to the free edition.

The Enterprise trial downgraded to free edition is the most interesting because it doesn't prompt for authentication and simply goes straight to the main page 😈

hashtag
Building the test environment

  1. Windows operating system. I'm using server 2012 R2 but any windows server/desktop OS should work

  2. Splunk which can be downloaded from https://download.splunk.com/products/splunk/releases/7.1.1/windows/splunk-7.1.1-8f0ead9ec3db-x64-release.msiarrow-up-right

  3. Use the below PowerShell script to automate the install process.

Install-Splunk.ps1
function Install-Splunk {
    [cmdletbinding()]
    param(
        [Parameter(HelpMessage = "Enter Splunk MSI URL, defaults to downloading 7.1.1")]
        [string]$SplunkUrl,

        [Parameter(HelpMessage = "Enter splunk password: Defaults to changeme")]
        [string]$SplunkPassword
    )

    if ($SplunkUrl) {

        $SplunkMSI = Split-Path $SplunkUrl -Leaf

        $SplunkPath = "C:\Windows\Temp\$SplunkMSI"

        Write-Host -ForegroundColor Green "[+] Downloading splunk from $SplunkUrl and saving to $SplunkPath"
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        (New-Object System.Net.WebClient).DownloadFile($SplunkUrl, $SplunkPath)
    }

    if (!($SplunkUrl)) {

        $SplunkUrl = "https://download.splunk.com/products/splunk/releases/7.1.1/windows/splunk-7.1.1-8f0ead9ec3db-x64-release.msi"
        $SplunkPath = "C:\windows\temp\splunk-7.1.1-8f0ead9ec3db-x64-release.msi"

        Write-Host -ForegroundColor Green "[-] Defaulting to downloading Version 7.1.1"

        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        (New-Object System.Net.WebClient).DownloadFile($SplunkUrl, $SplunkPath)
    }


    if ($SplunkPassword) {

        Write-Host -ForegroundColor Green "[+] Setting password to $SplunkPassword"
    }

    else {

        Write-Host -ForegroundColor Green "[-] Defaulting password to changeme"
        $SplunkPassword = "changeme"
    }

    Write-Host -ForegroundColor Green "[+] Installing Splunk"  
    Start-Process -Wait C:\Windows\System32\msiexec.exe -ArgumentList "/I $SplunkPath AGREETOLICENSE=Yes SPLUNKPASSWORD=$SplunkPassword /passive" -PassThru

    Write-Host "Splunk installation complete!"

4. To use version 7.1.1 (version in this example) and the default password simply run the script and it will set everything to the defaults.

PreviousCompromising Jenkins

Last updated