Pwned Labs - Compromise Splunk for AWS Privilege Escalation

Overview

Learn how to leverage defensive infrastructure to achieve our objectives in this intermediate lab. Get hands on with creating a malicious Splunk add-in, take control of the underlying OS and increase AWS access!

Scenario

Starting a new red team engagement, you have been given the login for a relatively unprivileged SOC account. Can you leverage defensive infrastructure and AWS services to access sensitive data and help you achieve your objectives?

Lab prerequisites

Basic Linux command line knowledge
Basic Python knowledge
Basic AWS knowledge

Learning outcomes

Create a malicious Splunk add-in
Get a stable shell on a Splunk server
Identify and descrypt stored secrets
Enumerate AWS IAM and EC2

Real-world context

Splunk is a very popular and widely used SIEM, that allows defenders to detect malicious activity in their environment. However, without proper protection, Splunk can also be leveraged by threat actors to compromise the application, underlying operating system, and potentially on-premises or cloud environments.

The free version of Splunk is uncredentialed, and on accessing the page we see the web headers Server: Splunkd and Set-Cookie: splunkweb_uid are set.

Cloud Security Training To Protect Your Business

Pwned Labs for Business gives your team access to dedicated business content, including labs and cyber ranges.

We also offer in-person or remote workshops, and our cloud penetration services are helping businesses become more secure!

Find out more!

Compromise Splunk for AWS Privilege Escalation

Cloud Security Training To Protect Your Business

Privacy Policy | Terms & Conditions