2 :80 splunkd

https://doctor.htb:8089/
Splunk Atom Feed: splunkd
| Splunk build: 8.0.5

https://doctor.htb:8089/robots.txt
User-agent: *
Disallow: /

https://doctor.htb:8089/rpc
Invalid request

https://doctor.htb:8089/services | https://doctor.htb:8089/servicesNS
Needs user:pass

# default creds admin:changeme didn't work

$ gobuster dir -u https://doctor.htb:8089 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt -t 80 -k
===============================================================
/services             (Status: 401) [Size: 130]
/v2                   (Status: 200) [Size: 2168]
/robots.txt           (Status: 200) [Size: 26]
/v1                   (Status: 200) [Size: 2168]
/v3                   (Status: 200) [Size: 2168]
/v4                   (Status: 200) [Size: 2168]
/v5                   (Status: 200) [Size: 2168]
/v6                   (Status: 200) [Size: 2168]
/v7                   (Status: 200) [Size: 2168]
/v10                  (Status: 200) [Size: 2168]
/v11                  (Status: 200) [Size: 2168]
/v8                   (Status: 200) [Size: 2168]
/v15                  (Status: 200) [Size: 2168]
/v0                   (Status: 200) [Size: 2168]
/v01                  (Status: 200) [Size: 2168]

# reference links
https://eapolsniper.github.io/2020/08/14/Abusing-Splunk-Forwarders-For-RCE-And-Persistence/
https://www.exploit-db.com/exploits/18245
https://github.com/airman604/splunk_whisperer
https://chryzsh.github.io/notpublished/2019-10-02-rce-on-endpoints-splunk-magic/
https://github.com/vartai-security/reverse_shell_splunk
https://threat.tevora.com/penetration-testing-with-splunk-leveraging-splunk-admin-credentials-to-own-the-enterprise/
http://downloads.jordan2000.com/splunk/Splunk-Common-Network-Ports-ver1.6.png
https://www.learnsplunk.com/splunk-troubleshooting.htmldpc

Last updated