Fanatastic 🔹

Enumeration

We have a prometheus + grafana stack

Searching for exploit we have a path traversal one

We can read grafana db and get data source credentials from /var/lib/grafana/grafana.db

Searching for an exploit to decrypt it we have https://github.com/Sic4rio/Grafana-Decryptor-for-CVE-2021-43798

SSH with credentials

The user belongs to disk group so we can read root files.

We can read root private key and ssh to the host.

Get the flags