Web
Nmap discovered a Web server on the target port 3000
The running service is Grafana http
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fanatastic]
└─$ curl -I -X OPTIONS http://$IP:3000/
HTTP/1.1 302 Found
Cache-Control: no-cache
Expires: -1
Location: /login
Pragma: no-cache
Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
Date: Wed, 02 Apr 2025 12:22:12 GMT
Content-Length: 0
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fanatastic]
└─$ curl -I http://$IP:3000/
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /login
Pragma: no-cache
Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
Date: Wed, 02 Apr 2025 12:22:17 GMT
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fanatastic]
└─$ curl -i http://$IP:3000/
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-Type: text/html; charset=utf-8
Expires: -1
Location: /login
Pragma: no-cache
Set-Cookie: redirect_to=%2F; Path=/; HttpOnly; SameSite=Lax
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-Xss-Protection: 1; mode=block
Date: Wed, 02 Apr 2025 12:22:22 GMT
Content-Length: 29
<a href="/login">Found</a>.302 to a login page; /login
/Practice/Fanatastic/2-Enumeration/attachments/{993F644B-2578-4414-A4AA-F43760AB0C42}.png)
It’s a login page to a Grafana instance
No credential is known at this time.
/Practice/Fanatastic/2-Enumeration/attachments/Pasted-image-20250402142638.png)
Grafana is a multi-platform open source analytics and interactive visualization web application. It can produce charts, graphs, and alerts for the web when connected to supported data sources.
Version Information
/Practice/Fanatastic/2-Enumeration/attachments/{9F92F30B-B12E-4BE5-9F44-A1A5F995D5D9}.png)
It revealed the version information; v8.3.0 (914fcedb72)
Vulnerabilities
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fanatastic]
└─$ searchsploit grafana 8.3.0
------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------- ---------------------------------
Grafana 8.3.0 - Directory Traversal and Arbitrary File Read | multiple/webapps/50581.py
------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No ResultsThe target Grafana instance suffers from a directory traversal and arbitrary file read vulnerability; CVE-2021-43798
Fuzzing
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/fanatastic]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt -u http://$IP:3000/FUZZ -ic -fc 302
________________________________________________
:: Method : GET
:: URL : http://192.168.202.181:3000/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response status: 302
________________________________________________
api-doc [Status: 401, Size: 32, Words: 4, Lines: 4, Duration: 70ms]
api [Status: 401, Size: 32, Words: 4, Lines: 4, Duration: 70ms]
api_test [Status: 401, Size: 32, Words: 4, Lines: 4, Duration: 70ms]
api2 [Status: 401, Size: 32, Words: 4, Lines: 4, Duration: 70ms]
apicache [Status: 401, Size: 32, Words: 4, Lines: 4, Duration: 70ms]
apimage [Status: 401, Size: 32, Words: 4, Lines: 4, Duration: 70ms]
apis [Status: 401, Size: 32, Words: 4, Lines: 4, Duration: 70ms]
api4 [Status: 401, Size: 32, Words: 4, Lines: 4, Duration: 70ms]
api3 [Status: 401, Size: 32, Words: 4, Lines: 4, Duration: 70ms]
login [Status: 200, Size: 28039, Words: 1924, Lines: 192, Duration: 22ms]
metrics [Status: 200, Size: 49464, Words: 1741, Lines: 694, Duration: 29ms]
robots.txt [Status: 200, Size: 26, Words: 3, Lines: 3, Duration: 25ms]
signup [Status: 200, Size: 27990, Words: 1924, Lines: 192, Duration: 37ms]
verify [Status: 200, Size: 27990, Words: 1924, Lines: 192, Duration: 39ms]
:: Progress: [20478/20478] :: Job [1/1] :: 1449 req/sec :: Duration: [0:00:14] :: Errors: 0 ::N/A