My Second VDP Bug Went Critical: Grafana Admin Panel Bypass

In the Name of Allah

Hello mates. I’m YoungVanda and this is my first write up. I hope this write up would be useful for you. 😊

Let’sssssssssssssssssss Gooooooooooooooooooo 🔥🔥🧨🧨(Just Vibing 😂)

My approach towards platform-based programs ( VDP — RDP )

Since I just started hunting I decided to go for a VDP program. After over 10 duplicates, I got my first bug which was a Reflected XSS (In another write up I’ll tell you how) and this is my second bug which triaged as critical.

Bug Story

The night before I was working on a simple tool to scan/monitor my assets on a regular basis with the help of passive providers and, at the end ,I added notify(tool) to my code in order to notify me if any new subdomain has been found. So I finished with writing the tool and after that I watched anime for an hour ( a bit of dopamine 🐱‍👤) , reading book and went to sleep.
The next day everything was normal no sign of interesting subdomains, but I was happy because my tool was working fine (I’m not a programmer🐱‍👓).
I went to the gym and came back, took a shower and etc and finally opening my laptop and I saw a new subdomain alert on my discord :)
I put the subdomain on my search bar and I wished I could find a XSS 😂 after 30 minutes, my internet connection was so bad, the subdomain finally has been loaded and I said damn It’s an admin panel, what should I do now?
I was disappointed and wanted to close the tab, but I said just try admin:admin, if didn’t work close it.
You know what??? It worked! I put admin:admin, it asked me for a new password and entering the new password and now I had access to one of the most juiceful admin panels in the world.
Jokes aside that admin panel was really juicy I literally could do anything.

Behind the Scene is the place that the magic is happening !!!

I was the first person among hunters to find that subdomain.
So recon always wins. I was monitoring the asset just less then 24 hours and a new subdomain popped up in my discord and I went for it before anyone else.The default port for Grafana panel is 3000. Also consider 80,443.Grafana 8.0.0-beta1 to 8.3.0 is vulnerable to LFI.Take advantage of Shodan dorks.The default credentials for Grafana is admin:admin, if didn’t work try other combinations.I just put admin:adminI Logged in and Changed the Password

End of the Story

This was almost all I knew about Grafana and I explained my own approach for finding this bug ;d
If somehow you liked this write up please give me a thumbs up and see you soon.

More Write ups to read about Grafana Admin Panel Bypass:

https://infosecwriteups.com/from-shodan-dork-to-grafana-local-file-inclusion-e77dc4cfc264https://infosecwriteups.com/grafana-admin-panel-bypass-in-google-acquisition-virustotal-c5ecc9d7b8aeTry to find more by searching on the Internet

My Twitter Account: @young_vanda_