Compromising Splunk

This page will discuss how to build a test environment to practice compromising splunk

Ever so often i will come across a Splunk server that is either using default/weak credentials or started off as an Enterprise trial and downgraded to the free edition.

The Enterprise trial downgraded to free edition is the most interesting because it doesn't prompt for authentication and simply goes straight to the main page 😈

Building the test environment

  1. Windows operating system. I'm using server 2012 R2 but any windows server/desktop OS should work

  2. Use the below PowerShell script to automate the install process.

Install-Splunk.ps1
function Install-Splunk {
    [cmdletbinding()]
    param(
        [Parameter(HelpMessage = "Enter Splunk MSI URL, defaults to downloading 7.1.1")]
        [string]$SplunkUrl,

        [Parameter(HelpMessage = "Enter splunk password: Defaults to changeme")]
        [string]$SplunkPassword
    )

    if ($SplunkUrl) {

        $SplunkMSI = Split-Path $SplunkUrl -Leaf

        $SplunkPath = "C:\Windows\Temp\$SplunkMSI"

        Write-Host -ForegroundColor Green "[+] Downloading splunk from $SplunkUrl and saving to $SplunkPath"
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        (New-Object System.Net.WebClient).DownloadFile($SplunkUrl, $SplunkPath)
    }

    if (!($SplunkUrl)) {

        $SplunkUrl = "https://download.splunk.com/products/splunk/releases/7.1.1/windows/splunk-7.1.1-8f0ead9ec3db-x64-release.msi"
        $SplunkPath = "C:\windows\temp\splunk-7.1.1-8f0ead9ec3db-x64-release.msi"

        Write-Host -ForegroundColor Green "[-] Defaulting to downloading Version 7.1.1"

        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        (New-Object System.Net.WebClient).DownloadFile($SplunkUrl, $SplunkPath)
    }


    if ($SplunkPassword) {

        Write-Host -ForegroundColor Green "[+] Setting password to $SplunkPassword"
    }

    else {

        Write-Host -ForegroundColor Green "[-] Defaulting password to changeme"
        $SplunkPassword = "changeme"
    }

    Write-Host -ForegroundColor Green "[+] Installing Splunk"  
    Start-Process -Wait C:\Windows\System32\msiexec.exe -ArgumentList "/I $SplunkPath AGREETOLICENSE=Yes SPLUNKPASSWORD=$SplunkPassword /passive" -PassThru

    Write-Host "Splunk installation complete!"

4. To use version 7.1.1 (version in this example) and the default password simply run the script and it will set everything to the defaults.

Last updated

Was this helpful?