2 :80 splunkd
https://doctor.htb:8089/
Splunk Atom Feed: splunkd
| Splunk build: 8.0.5
https://doctor.htb:8089/robots.txt
User-agent: *
Disallow: /
https://doctor.htb:8089/rpc
Invalid request
https://doctor.htb:8089/services | https://doctor.htb:8089/servicesNS
Needs user:pass
# default creds admin:changeme didn't work
$ gobuster dir -u https://doctor.htb:8089 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80 -k
===============================================================
/services (Status: 401) [Size: 130]
/v2 (Status: 200) [Size: 2168]
/robots.txt (Status: 200) [Size: 26]
/v1 (Status: 200) [Size: 2168]
/v3 (Status: 200) [Size: 2168]
/v4 (Status: 200) [Size: 2168]
/v5 (Status: 200) [Size: 2168]
/v6 (Status: 200) [Size: 2168]
/v7 (Status: 200) [Size: 2168]
/v10 (Status: 200) [Size: 2168]
/v11 (Status: 200) [Size: 2168]
/v8 (Status: 200) [Size: 2168]
/v15 (Status: 200) [Size: 2168]
/v0 (Status: 200) [Size: 2168]
/v01 (Status: 200) [Size: 2168]
# reference links
https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/
https://www.exploit-db.com/exploits/18245
https://github.com/airman604/splunk_whisperer
https://chryzsh.github.io/notpublished/2019-10-02-rce-on-endpoints-splunk-magic/
https://github.com/vartai-security/reverse_shell_splunk
https://threat.tevora.com/penetration-testing-with-splunk-leveraging-splunk-admin-credentials-to-own-the-enterprise/
http://downloads.jordan2000.com/splunk/Splunk-Common-Network-Ports-ver1.6.png
https://www.learnsplunk.com/splunk-troubleshooting.htmldpc
Last updated