BOOK THIS SPACE FOR AD
ARTICLE ADHey folks,
I’m here to share one of my old findings. In which accessed the grafana dashboard with default credentials, which lead to sensitive information about the server’s analytics and other information on resource utilization.
You all must be thinking about the need to write this easy finding even beginners can find this issue: well, my answer is only 50% of bug hunters look for this flaw because they follow their checklists. And as penetration testers, our work is to test & report every vulnerability even if it is very low to High. I’m sharing this for hunters and beginner-level pen-testers who perform or provide penetration testing services or work for a company. These simple vulnerabilities can give us juicy data & and access to the panel.
I was testing a target so let’s call it redacted.com. I used subfinder & httpx to find active subdomains:-
Subfinder -d redacted.com | httpx -o redacted.txt
Redacted.com using an outdated version of Grafana V6.0.2. And there, I noticed that one subdomain is https://grafana.redacted.com which is redirected to https://grafana.redacted.com/login, and only admin or internal user can access the dashboard. So I started to look for CVE’s & tries some bypass techniques to access dashboard but got no success.
what I do now is there any other way to get access to the dashboard.
Suddenly, my spider-sense warned me that I missed an essential and easy part of finding vulnerability on the Admin panel: trying default credentials.
And grafana default credentials are admin: admin, which is mentioned in grafana docs. I tried admin: admin & logged in as admin.
Impact: This can lead to sensitive information about the server’s analytics and other information on resource utilization.
An attacker can also generate an API key to pull the resources out of this platform to an attacker’s control domain.
Fill in the blanks:
Who is responsible for this mistake: ______________😁
As per Bugcrowd VRT, this flaw has a P1 severity, and the reward should be in 4 digits, but I found it on VDP(discontinued program), and they pay based on their budget for bounty programs.
Bounty: $$$(3-digit)
Note: Never underestimate spider-sense and try everything you have & never-give-up.
Twitter: https://twitter.com/Mah3Sec_