InfoTech
  • About Me
  • Infrastructure Automation
    • My Lab Configuration
    • Packer Configuration to Build Windows Templates
    • Vagrant Configuration to Provision Windows Templates
  • Pentesting Walkthroughs
    • Compromising vCenter with Struts
    • Compromising Jenkins
    • Compromising Splunk
Powered by GitBook
On this page

Was this helpful?

  1. Pentesting Walkthroughs

Compromising Splunk

This page will discuss how to build a test environment to practice compromising splunk

PreviousCompromising Jenkins

Last updated 6 years ago

Was this helpful?

Ever so often i will come across a Splunk server that is either using default/weak credentials or started off as an Enterprise trial and downgraded to the free edition.

The Enterprise trial downgraded to free edition is the most interesting because it doesn't prompt for authentication and simply goes straight to the main page

Building the test environment

  1. Windows operating system. I'm using server 2012 R2 but any windows server/desktop OS should work

  2. Splunk which can be downloaded from

  3. Use the below PowerShell script to automate the install process.

Install-Splunk.ps1
function Install-Splunk {
    [cmdletbinding()]
    param(
        [Parameter(HelpMessage = "Enter Splunk MSI URL, defaults to downloading 7.1.1")]
        [string]$SplunkUrl,

        [Parameter(HelpMessage = "Enter splunk password: Defaults to changeme")]
        [string]$SplunkPassword
    )

    if ($SplunkUrl) {

        $SplunkMSI = Split-Path $SplunkUrl -Leaf

        $SplunkPath = "C:\Windows\Temp\$SplunkMSI"

        Write-Host -ForegroundColor Green "[+] Downloading splunk from $SplunkUrl and saving to $SplunkPath"
        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        (New-Object System.Net.WebClient).DownloadFile($SplunkUrl, $SplunkPath)
    }

    if (!($SplunkUrl)) {

        $SplunkUrl = "https://download.splunk.com/products/splunk/releases/7.1.1/windows/splunk-7.1.1-8f0ead9ec3db-x64-release.msi"
        $SplunkPath = "C:\windows\temp\splunk-7.1.1-8f0ead9ec3db-x64-release.msi"

        Write-Host -ForegroundColor Green "[-] Defaulting to downloading Version 7.1.1"

        [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
        (New-Object System.Net.WebClient).DownloadFile($SplunkUrl, $SplunkPath)
    }


    if ($SplunkPassword) {

        Write-Host -ForegroundColor Green "[+] Setting password to $SplunkPassword"
    }

    else {

        Write-Host -ForegroundColor Green "[-] Defaulting password to changeme"
        $SplunkPassword = "changeme"
    }

    Write-Host -ForegroundColor Green "[+] Installing Splunk"  
    Start-Process -Wait C:\Windows\System32\msiexec.exe -ArgumentList "/I $SplunkPath AGREETOLICENSE=Yes SPLUNKPASSWORD=$SplunkPassword /passive" -PassThru

    Write-Host "Splunk installation complete!"

4. To use version 7.1.1 (version in this example) and the default password simply run the script and it will set everything to the defaults.

😈
https://download.splunk.com/products/splunk/releases/7.1.1/windows/splunk-7.1.1-8f0ead9ec3db-x64-release.msi