Local privilege escalation, or remote code execution, through Splunk Universal Forwarder (UF) misconfigurations
Local privilege escalation, or remote code execution, through Splunk Universal Forwarder (UF) misconfigurations. See https://clement.notin.org/blog/2019/02/25/Splunk-Universal-Forwarder-Hijacking-2-SplunkWhisperer2/ for more details.
PySplunkWhisperer2works fine on Linux targets too (adapt the payload file name and content accordingly).
Note also that
SharpSplunkWhisperer2relies on the Splunk SDK for C# library, whereas
PySplunkWhisperer2directly calls the Splunk REST API.
These tools are inspired by the original Splunk Whisperer by @airman604.
The main advantage of these versions is that the Deployment Server used by the UF is not changed. It only installs a new application (then removes it) so it is less intrusive and the code is simpler.
Resources provided here are shared to demonstrate risk. These can be used only against systems you own or are authorized to test, these must not be used for illegal purposes. The author cannot be held responsible for any misuse or damage from any material provided here.