{"id":2878,"date":"2015-03-26T17:08:40","date_gmt":"2015-03-26T17:08:40","guid":{"rendered":"https:\/\/dn-www.azurewebsites.net\/2015\/03\/26\/splunk-web-shell\/"},"modified":"2024-02-06T10:25:50","modified_gmt":"2024-02-06T10:25:50","slug":"splunk-web-shell","status":"publish","type":"post","link":"https:\/\/dionach.com\/nl\/splunk-web-shell\/","title":{"rendered":"Splunk Web Shell"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Now and then, while performing internal penetration tests we come across Splunk default installs where system users can log in as \u201cadmin\u201d and are granted the associated privileges without having to authenticate. Splunk is based on Django, and among the options it gives you when accessing the admin panel is one that is particularly attractive from an attacker’s point of view: Apps. Splunk allows installing custom apps from a number of sources, including from a local file, as shown below:<\/p>\n

<\/p>\n

During the last internal penetration test I carried out, I found one of these Splunk admin panels. After searching around for a bit I could not find a web shell that would successfully allow me to execute system commands when I uploaded it through the “custom app install” option – so I developed a simple but useful one of my own. Splunk apps need to follow Django conventions regarding the files needed and their structure, and most of the time they also make use of Splunk’s API. The documentation is quite good, so it didn’t take me too long to figure it out. After writing the code, I had to convert the app folder to .tar.gz, as this is the format, along with .zip, that Splunk expects. After that, all I had to do was click on the “Install app from file” and<\/p>\n

follow the instructions. Once the app has been successfully installed, this is what it looks like when you access it:<\/p>\n

<\/p>\n

The interface is quite nice, as I used JQuery’s terminal emulator to make it a little bit more user friendly than the typical “?CMD=” GET-request-based web shell. Below is a screenshot of the app running a couple of commands. <\/p>\n

Please note that as it is configured at the moment, the app requires access to the admin panel first. This was done on purpose to avoid random access to the web shell, but this is easily modifiable in the source code if the situation requires it. The source code as well as the ready to go .tar.gz files can be found at: https:\/\/github.com\/Dionach\/Splunk-Web-Shell<\/a><\/p>


<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Now and then, while performing internal penetration tests we come across Splunk default installs where system users can log in as \u201cadmin\u201d and are granted the associated privileges without having to authenticate. Splunk is based on Django, and among the options it gives you when accessing the admin panel is one that is particularly attractive […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1],"tags":[209,207],"class_list":["post-2878","post","type-post","status-publish","format-standard","hentry","category-researchblog","tag-infrastructure","tag-web_applications","wpbf-post"],"contentshake_article_id":"","yoast_head":"\nSplunk Web Shell<\/title>\n<meta name=\"description\" content=\"Now and then, while performing internal penetration tests we come across Splunk default installs where system users can log in as \u201cadmin\u201d and are granted\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/dionach.com\/nl\/splunk-web-shell\/\" \/>\n<meta property=\"og:locale\" content=\"nl_NL\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Splunk Web Shell\" \/>\n<meta property=\"og:description\" content=\"Now and then, while performing internal penetration tests we come across Splunk default installs where system users can log in as \u201cadmin\u201d and are granted\" \/>\n<meta property=\"og:url\" content=\"https:\/\/dionach.com\/nl\/splunk-web-shell\/\" \/>\n<meta property=\"og:site_name\" content=\"Dionach\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/dionachcyber\" \/>\n<meta property=\"article:published_time\" content=\"2015-03-26T17:08:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-06T10:25:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg?fit=512%2C512&ssl=1\" \/>\n\t<meta property=\"og:image:width\" content=\"512\" \/>\n\t<meta property=\"og:image:height\" content=\"512\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Dionach Admin\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:site\" content=\"@dionachcyber\" \/>\n<meta name=\"twitter:label1\" content=\"Geschreven door\" \/>\n\t<meta name=\"twitter:data1\" content=\"Dionach Admin\" \/>\n\t<meta name=\"twitter:label2\" content=\"Geschatte leestijd\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/dionach.com\/nl\/splunk-web-shell\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/dionach.com\/nl\/splunk-web-shell\/\"},\"author\":{\"name\":\"Dionach Admin\",\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/person\/e73f3537233924cf4944f7807068b3c8\"},\"headline\":\"Splunk Web Shell\",\"datePublished\":\"2015-03-26T17:08:40+00:00\",\"dateModified\":\"2024-02-06T10:25:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/dionach.com\/nl\/splunk-web-shell\/\"},\"wordCount\":358,\"publisher\":{\"@id\":\"https:\/\/dionach.com\/nl\/#organization\"},\"keywords\":[\"infrastructure\",\"web applications\"],\"articleSection\":[\"researchblog\"],\"inLanguage\":\"nl-NL\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/dionach.com\/nl\/splunk-web-shell\/\",\"url\":\"https:\/\/dionach.com\/nl\/splunk-web-shell\/\",\"name\":\"Splunk Web Shell\",\"isPartOf\":{\"@id\":\"https:\/\/dionach.com\/nl\/#website\"},\"datePublished\":\"2015-03-26T17:08:40+00:00\",\"dateModified\":\"2024-02-06T10:25:50+00:00\",\"description\":\"Now and then, while performing internal penetration tests we come across Splunk default installs where system users can log in as \u201cadmin\u201d and are granted\",\"breadcrumb\":{\"@id\":\"https:\/\/dionach.com\/nl\/splunk-web-shell\/#breadcrumb\"},\"inLanguage\":\"nl-NL\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/dionach.com\/nl\/splunk-web-shell\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/dionach.com\/nl\/splunk-web-shell\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/dionach.com\/nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Splunk Web Shell\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/dionach.com\/nl\/#website\",\"url\":\"https:\/\/dionach.com\/nl\/\",\"name\":\"Dionach\",\"description\":\"Real Security in a Virtual World\",\"publisher\":{\"@id\":\"https:\/\/dionach.com\/nl\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/dionach.com\/nl\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"nl-NL\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/dionach.com\/nl\/#organization\",\"name\":\"Dionach\",\"url\":\"https:\/\/dionach.com\/nl\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"contentUrl\":\"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg\",\"width\":512,\"height\":512,\"caption\":\"Dionach\"},\"image\":{\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/dionachcyber\",\"https:\/\/x.com\/dionachcyber\",\"https:\/\/uk.linkedin.com\/company\/dionach-ltd\",\"https:\/\/www.instagram.com\/dionachcyber\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/dionach.com\/nl\/#\/schema\/person\/e73f3537233924cf4944f7807068b3c8\",\"name\":\"Dionach Admin\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g\",\"caption\":\"Dionach Admin\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Splunk Web Shell","description":"Now and then, while performing internal penetration tests we come across Splunk default installs where system users can log in as \u201cadmin\u201d and are granted","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/dionach.com\/nl\/splunk-web-shell\/","og_locale":"nl_NL","og_type":"article","og_title":"Splunk Web Shell","og_description":"Now and then, while performing internal penetration tests we come across Splunk default installs where system users can log in as \u201cadmin\u201d and are granted","og_url":"https:\/\/dionach.com\/nl\/splunk-web-shell\/","og_site_name":"Dionach","article_publisher":"https:\/\/www.facebook.com\/dionachcyber","article_published_time":"2015-03-26T17:08:40+00:00","article_modified_time":"2024-02-06T10:25:50+00:00","og_image":[{"width":512,"height":512,"url":"https:\/\/i0.wp.com\/dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg?fit=512%2C512&ssl=1","type":"image\/jpeg"}],"author":"Dionach Admin","twitter_card":"summary_large_image","twitter_creator":"@dionachcyber","twitter_site":"@dionachcyber","twitter_misc":{"Geschreven door":"Dionach Admin","Geschatte leestijd":"3 minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/dionach.com\/nl\/splunk-web-shell\/#article","isPartOf":{"@id":"https:\/\/dionach.com\/nl\/splunk-web-shell\/"},"author":{"name":"Dionach Admin","@id":"https:\/\/dionach.com\/nl\/#\/schema\/person\/e73f3537233924cf4944f7807068b3c8"},"headline":"Splunk Web Shell","datePublished":"2015-03-26T17:08:40+00:00","dateModified":"2024-02-06T10:25:50+00:00","mainEntityOfPage":{"@id":"https:\/\/dionach.com\/nl\/splunk-web-shell\/"},"wordCount":358,"publisher":{"@id":"https:\/\/dionach.com\/nl\/#organization"},"keywords":["infrastructure","web applications"],"articleSection":["researchblog"],"inLanguage":"nl-NL"},{"@type":"WebPage","@id":"https:\/\/dionach.com\/nl\/splunk-web-shell\/","url":"https:\/\/dionach.com\/nl\/splunk-web-shell\/","name":"Splunk Web Shell","isPartOf":{"@id":"https:\/\/dionach.com\/nl\/#website"},"datePublished":"2015-03-26T17:08:40+00:00","dateModified":"2024-02-06T10:25:50+00:00","description":"Now and then, while performing internal penetration tests we come across Splunk default installs where system users can log in as \u201cadmin\u201d and are granted","breadcrumb":{"@id":"https:\/\/dionach.com\/nl\/splunk-web-shell\/#breadcrumb"},"inLanguage":"nl-NL","potentialAction":[{"@type":"ReadAction","target":["https:\/\/dionach.com\/nl\/splunk-web-shell\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/dionach.com\/nl\/splunk-web-shell\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/dionach.com\/nl\/"},{"@type":"ListItem","position":2,"name":"Splunk Web Shell"}]},{"@type":"WebSite","@id":"https:\/\/dionach.com\/nl\/#website","url":"https:\/\/dionach.com\/nl\/","name":"Dionach","description":"Real Security in a Virtual World","publisher":{"@id":"https:\/\/dionach.com\/nl\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/dionach.com\/nl\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"nl-NL"},{"@type":"Organization","@id":"https:\/\/dionach.com\/nl\/#organization","name":"Dionach","url":"https:\/\/dionach.com\/nl\/","logo":{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/","url":"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","contentUrl":"https:\/\/www.dionach.com\/wp-content\/uploads\/2025\/02\/cropped-Dionach-vertical-col-yel-nomios-black-1.jpg","width":512,"height":512,"caption":"Dionach"},"image":{"@id":"https:\/\/dionach.com\/nl\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/dionachcyber","https:\/\/x.com\/dionachcyber","https:\/\/uk.linkedin.com\/company\/dionach-ltd","https:\/\/www.instagram.com\/dionachcyber\/"]},{"@type":"Person","@id":"https:\/\/dionach.com\/nl\/#\/schema\/person\/e73f3537233924cf4944f7807068b3c8","name":"Dionach Admin","image":{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/3061726a64a760303f6ea8f0976d3e8e0a6997b4da543be9a650b81584b4e79e?s=96&d=mm&r=g","caption":"Dionach Admin"}}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/ph4Ojq-Kq","_links":{"self":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts\/2878","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/comments?post=2878"}],"version-history":[{"count":0,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/posts\/2878\/revisions"}],"wp:attachment":[{"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/media?parent=2878"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/categories?post=2878"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dionach.com\/nl\/wp-json\/wp\/v2\/tags?post=2878"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}