Exploit for Path Traversal in Splunk CVE-2024-36991

Name: Exploit for Path Traversal in Splunk CVE-2024-36991
Rating: 5 (56 reviews)
2025-03-30 | CVSS 7.5
## https://sploitus.com/exploit?id=7275A2C7-3B68-59FB-853D-9764BD20ABC1
# Splunk Path Traversal Exploit (CVE-2024-36991)

<img width="1671" alt="Screenshot 2025-03-30 at 8 18 32 PM" src="https://github.com/user-attachments/assets/d4707d40-08b4-482e-891e-4cd3ad424a23" />


## Description
This is a Proof-of-Concept (PoC) exploit script for **CVE-2024-36991**, a path traversal vulnerability affecting **Splunk Enterprise** on Windows versions below:
- **9.2.2**
- **9.1.5**
- **9.0.10**

The vulnerability allows unauthenticated attackers to access sensitive files on the server by exploiting a path traversal flaw in the Splunk web interface.

**Severity:** Critical  
**Impact:** Arbitrary File Read

---

## ⚠️ Vulnerable Versions
- Splunk Enterprise < 9.2.2
- Splunk Enterprise < 9.1.5
- Splunk Enterprise < 9.0.10

---

## 💡 Usage
To run the exploit, use the following commands:
<img width="1670" alt="Screenshot 2025-03-30 at 8 17 55 PM" src="https://github.com/user-attachments/assets/0a4007ea-45d7-463c-9ef5-0f8b8a322392" />

```bash
# Using Python3
python3 exploit.py -u http://victim.com -s 1

# Running directly
./exploit.py -u http://victim.com -s 1
```

### Parameters:
- `-u`, `--url`: The base URL of the target Splunk server.
- `-s`, `--section`: Select the section to enumerate (1-5):

### Sections:
1. **Credentials & Secrets:**
    - `/etc/passwd`
    - `/etc/auth/splunk.secret`
    - `/etc/auth/server.pem`
    - `/var/run/splunk/session`
    - `/etc/system/local/authentication.conf`

2. **Configuration Files:**
    - `/etc/system/local/web.conf`
    - `/etc/system/local/inputs.conf`

3. **Logs & History:**
    - `/var/log/splunk/splunkd.log`
    - `/var/log/splunk/audit.log`
    - `/var/log/splunk/metrics.log`
    - `/var/log/splunk/searches.log`
    - `/var/run/splunk/dispatch`

4. **System & Service Files:**
    - `/bin/splunk.exe`
    - `/bin/splunkd.exe`
    - `/etc/system/default/server.conf`
    - `/etc/system/default/user-seed.conf`
    - `/var/lib/splunk/persistentstorage.db`

5. **Apps & Custom Scripts:**
    - `/etc/apps/Splunk_TA_windows/bin`
    - `/etc/apps/Splunk_TA_nix/bin`
    - `/etc/apps/SplunkForwarder/local`
    - `/etc/apps/Splunk_SA_CIM/local`

---

## 🛡️ Mitigation
To protect your Splunk server:
- Upgrade to **Splunk Enterprise 9.2.2, 9.1.5, or 9.0.10** or later.
- Apply proper access controls and firewall rules.

---

## ⚠️ Disclaimer
This exploit is for educational and authorized penetration testing purposes only. Unauthorized use is illegal and unethical. The author takes no responsibility for misuse.