Hello there,

I am Pratik Dabhi, a Bug Bounty Hunter and a Penetration Tester. Many of you may already know me, but for those who aren’t, please visit my website to learn more about me.

In this blog, I will share an interesting bug I discovered last year on a multinational corporation’s website. The bug revolves around how I gained unauthorized access to the Grafana Dashboard. As in my recent blog posts, I’ve been detailing the bugs found during the reconnaissance phase. Similarly, in this case, I uncovered this bug during my reconnaissance phase.

What is Grafana Dashboard?

Grafana dashboards provide centralized, visually appealing views of data from various sources, enabling monitoring and analysis of metrics such as CPU usage, network traffic, and application performance. They are customizable, connect to diverse data sources, and support collaboration, fostering improved observability, productivity, and communication.

Bug Summary

Grafana, a popular data visualization tool, possesses default credentials for the admin account, allowing anyone to access the dashboard without the necessity of creating their own account. This presents a significant security risk, as individuals with access to the default credentials could gain unauthorized access to sensitive data and potentially compromise the system. Utilizing the default username and password, I successfully accessed the dashboard with admin privileges.

I initiated the process with the basics, collecting all the subdomains of the target using various tools like Subfinder and more.

Then, I used waybackurls along with httpx to probe the URLs and retrieve the current status of the URLs.

I found a few IPS in the URLS which were found by waybackurls so the IP looks something like this “hi.dd.en.ip” using “-td or -tech-detect” switch in “httpx” I found this IP has Grafana in it. So I tried checking for a few bugs on Grafana using “Nuclei” in the background along with that I was manually checking for the bugs and whenever I found that the particular IP was using some technology I always tried to log in with default credentials that’s my first approach.

So, I googled the default credentials of Grafana, which is “admin/admin”.

I tried the same and it was the easy guess and I was able to log in.

Once I was inside the dashboard, I tried to change the password.

After changing the password, I found a few interesting information in it, which may help an attacker to further investigate the target application and exploit it accordingly.

Video POC:

Impact -This can lead to sensitive information about the server’s analytics and other information on resource utilization.
An attacker can also generate an API key to pull the resources out of this platform to an attacker’s control domain.

Mitigation -Default passwords in applications are like open doors for cybercriminals to enter and steal sensitive data. To mitigate the issue, one should change default passwords to strong and unique ones and enforce regular password rotation.

With this vulnerability, I was able to earn good money, I will show you some of my reports.

Thanks, everyone for reading:)

Happy Hacking ;)

Support me if you like my work! Buy me a coffee and Follow me on Twitter

Website:- https://www.pratikdabhi.com/

Instagram:- https://www.instagram.com/i.m.pratikdabhi

Twitter:- https://twitter.com/impratikdabhi

Youtube:-https://www.youtube.com/impratikdabhi