# Splunk ## **Introduction** > * Splunk is a `SIEM tool` prevalent in `internal networks` > * The Splunk web server runs by default on `port 8000`. > * On older versions of Splunk, the default credentials are `admin:changeme` (displayed on the login page) > * The latest version of Splunk sets credentials during the installation process. > * If the default credentials do not work, it is worth checking for `common weak passwords` such as `admin`, `Welcome`, `Welcome1`, `Password123`, etc. > * The Splunk Enterprise trial converts to a free version after `60 days` > * The `free version` of Splunk does not have any form of authentication > * `Approach`: The biggest focus of Splunk during an assessment would be weak or null authentication because admin access to Splunk gives us the ability to deploy custom applications that can be used to quickly compromise a Splunk server and possibly other hosts in the network depending on the way Splunk is set up. *** ## **Splunk RCE \[Authenticated]** > * We can gain remote code execution on Splunk by creating a custom application to run Python, PowerShell Batch or Bash scripts > * Use > * Follow the instructions in the README of that repository --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.sectest.it/web-applications/web-technologies/splunk.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.