In the Name of Allah
Hi guys, I'm YoungVanda and in this write-up, I wanna talk about my own methodology for finding Grafana admin panel and how I was able to get full access.
Let’sssssssssssssssssss Gooooooooooooooooooo 🔥🔥🧨🧨(Just Vibing 😂)
My approach towards platform-based programs ( VDP — RDP )
Since I just started hunting I decided to go for a VDP program. After over 10 duplicates, I got my first bug which was a Reflected XSS (In another write-up I’ll tell you how) and this is my second bug which was triaged as critical.
Bug Story
The night before I was working on a simple tool to scan/monitor my assets on a regular basis with the help of passive providers and, in the end, I added a notify(tool) to my code in order to notify me if any new subdomain has been found. So I finished writing the tool and after that, I watched anime for an hour ( a bit of dopamine 🐱👤), read a book and went to sleep.
The next day everything was normal. There was no sign of interesting subdomains, but I was happy because my tool was working fine (I’m not a programmer🐱👓).
I went to the gym and came back, took a shower and etc and finally opened my laptop and I saw a new subdomain alert on my discord :)
I put the subdomain on my search bar and I wished I could find XSS 😂 after 30 minutes, my internet connection was so bad, the subdomain finally has been loaded and I said damn It’s an admin panel, what should I do now?
I was disappointed and wanted to close the tab, but I said just try admin:admin, if it didn’t work close it.
You know what??? It worked! I put admin:admin, and it asked me for a new password and entered the new password and now I had access to one of the most juiceful admin panels in the world.
Jokes aside that admin panel was really juicy I literally could do anything.
Behind the Scene is the place where the magic is happening !!!
I was the first person among hunters to find that subdomain.
So recon always wins. I was monitoring the asset just less than 24 hours and a new subdomain popped up in my discord and I went for it before anyone else.The default port for the Grafana panel is 3000. Also, consider 80,443.
Grafana 8.0.0-beta1 to 8.3.0 is vulnerable to LFI.
Take advantage of Shodan dorks.
The default credential for Grafana is admin:admin, if it doesn’t work try other combinations.
- I just put admin:admin
- I Logged in and Changed the Password
End of the Story
This was almost all I knew about Grafana and I explained my own approach for finding this bug ;d
If somehow you liked this write-up follow me and see you soon.
My Twitter Account: @young_vanda_
More Write-ups to read about Grafana Admin Panel Bypass: