Merge pull request #2064 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_grafana_20260328_130736

Research Update Enhanced src/network-services-pentesting/pen...

Author: carlospolop

src/network-services-pentesting/pentesting-web/grafana.md

@@ -4,13 +4,58 @@
 
 ## Interesting stuff
 
-- The file **`/etc/grafana/grafana.ini`** can contain sensitive information such as **admin** **username** and **password.**
-- Inside the platform you could **invite people** or **generate API keys** (might need to be admin)
-- You could check which plugins are installed (or even install new)
-- By default it uses **SQLite3** database in **`/var/lib/grafana/grafana.db`**
-  - `select user,password,database from data_source;`
+- Main config is usually in **`/etc/grafana/grafana.ini`** (Deb/RPM) and can contain sensitive values such as **`admin_user`**, **`admin_password`**, **`secret_key`**, OAuth settings, SMTP creds, and renderer tokens.
+- By default Grafana stores data in **SQLite3** under **`/var/lib/grafana/grafana.db`**.
+- Provisioning files are very interesting after host access:
+  - **`/etc/grafana/provisioning/datasources/*.yaml`**
+  - **`/etc/grafana/provisioning/plugins/*.yaml`**
+  - Environment-variable expansion is supported in provisioning files, so leaked YAML often reveals both secrets and the env var names backing them.
+- Installed plugins are commonly found under **`/var/lib/grafana/plugins`**.
+- Inside the platform you could **invite people**, **generate API keys / service account tokens**, **list plugins**, or **install new plugins** depending on the role.
+- The browser is also loot: Grafana exposes non-secret datasource config to the frontend. If you have a **Viewer** session (or **anonymous access** is enabled), inspect **`window.grafanaBootData`** from DevTools.
+
+Useful SQLite checks:
 
----
+```sql
+.tables
+.schema data_source
+SELECT id,org_id,name,type,url,access,is_default,json_data FROM data_source;
+SELECT id,org_id,uid,login,email,is_admin FROM user;
+SELECT id,org_id,uid,name,slug FROM dashboard;
+```
+
+## Looting datasources and secrets
+
+Grafana separates browser-readable configuration from encrypted secrets:
+
+- **`jsonData`** is visible to users in the browser and is commonly enough to enumerate internal hosts, tenants, auth modes, header names, AWS regions, Elasticsearch indexes, Loki tenants, Prometheus URLs, and similar recon data.
+- **`secureJsonData`** is encrypted server-side and no longer readable from the browser after the datasource is saved.
+
+Post-exploitation workflow:
+
+1. Dump **`grafana.ini`** and recover **`secret_key`**.
+2. Loot **`grafana.db`** and provisioning files.
+3. Enumerate datasources and plugin configuration to find reusable credentials and internal endpoints.
+4. If migrating or replaying the database in another Grafana instance, keep the same **`secret_key`** or stored datasource passwords/tokens will not decrypt correctly.
+
+Why **`secret_key`** matters in newer versions:
+
+- Since Grafana v9, database secrets use envelope encryption.
+- Grafana encrypts secrets with **data encryption keys (DEKs)**, and those DEKs are encrypted with a **key encryption key (KEK)** derived from **`secret_key`**.
+- From an attacker perspective, **`grafana.db` + `secret_key`** is the pair worth stealing.
+
+## Plugin attack surface
+
+Treat plugins as part of the target, not a footnote:
+
+- Enumerate them from the filesystem, from the UI, or from the API:
+
+```bash
+curl -s http://grafana.target/api/plugins | jq '.[].id'
+```
+
+- Older or third-party plugins regularly expand Grafana's reach into internal networks because they proxy HTTP requests or interact with local files/databases.
+- Recent examples include SSRF in the **Infinity** plugin (`< 3.4.1`) and abuse paths where the **Image Renderer** plugin turns another bug into **full-read SSRF**.
 
 ## CVE-2024-9264 – SQL Expressions (DuckDB shellfs) post-auth RCE / LFI
 
@@ -25,7 +70,7 @@ Impact
 Quick checks
 - In the UI/API, browse Admin settings (Swagger: `/swagger-ui`, endpoint `/api/admin/settings`) to confirm:
   - `expressions.enabled` is true
-  - Optional: version (e.g., v11.0.0 vulnerable), datasource types, etc.
+  - Optional: version, datasource types, and general hardening settings
 - Shell on host: `which duckdb` must resolve for the exploit path below.
 
 Manual query pattern using DuckDB + shellfs
@@ -64,10 +109,25 @@ python3 CVE-2024-9264.py -u <USER> -p <PASS> \
 ```
 If output shows `uid=0(root)`, Grafana is running as root (common inside some containers).
 
+## 2025 client-side traversal / open redirect chain
+
+The 2025 Grafana client-side traversal and open-redirect chain is already documented in more generic client-side pages. Use those techniques against Grafana-specific paths such as plugin assets, dashboard script loaders, and token-rotation redirects:
+
+{{#ref}}
+../../../pentesting-web/client-side-path-traversal.md
+{{#endref}}
+
+{{#ref}}
+../../../pentesting-web/open-redirect.md
+{{#endref}}
 
 ## References
 
 - [Grafana Advisory – CVE-2024-9264 (SQL Expressions RCE/LFI)](https://grafana.com/security/security-advisories/cve-2024-9264/)
+- [Grafana docs – Add authentication for data source plugins (`jsonData`, `secureJsonData`, `window.grafanaBootData`)](https://grafana.com/developers/plugin-tools/how-to-guides/data-source-plugins/add-authentication-for-data-source-plugins)
+- [Grafana docs – Configure database encryption](https://grafana.com/docs/grafana/latest/setup-grafana/configure-security/configure-database-encryption/)
+- [Grafana docs – Provision Grafana](https://grafana.com/docs/grafana/latest/administration/provisioning/)
+- [Cycode – One Plugin Away: Breaking Into Grafana from the Inside](https://cycode.com/blog/one-plugin-away-breaking-into-grafana-from-the-inside/)
 - [DuckDB shellfs community extension](https://duckdb.org/community_extensions/extensions/shellfs.html)
 - [nollium/CVE-2024-9264 PoC](https://github.com/nollium/CVE-2024-9264)
 - [cfreal/ten framework](https://github.com/cfreal/ten)