f

Author: carlospolop

src/network-services-pentesting/pentesting-web/grafana.md

@@ -64,31 +64,6 @@ python3 CVE-2024-9264.py -u <USER> -p <PASS> \
 ```
 If output shows `uid=0(root)`, Grafana is running as root (common inside some containers).
 
-Post-exploitation notes
-- Harvest environment secrets from the spawned process (`env` or `/proc/<pid>/environ`). Grafana commonly exposes variables like:
-  - `GF_SECURITY_ADMIN_USER`, `GF_SECURITY_ADMIN_PASSWORD`
-  - These may be reused in other places (e.g., SSH, basic-auth on internal tools). See Linux post-exploitation tips below.
-- Container indicators: `/.dockerenv`, short hex hostname, Docker bridge IP in `/proc/net/fib_trie`.
-- Local port-only panels: Pivot with SSH local port forwarding: `ssh -L 9001:localhost:<port> user@host` and browse `http://localhost:9001` from your box.
-
-Detection & hardening
-- Disable SQL Expressions if not needed: `expressions.enabled = false` (ini or via provisioning)
-- Remove or restrict DuckDB availability on the server PATH if SQL Expressions are enabled
-- Restrict extension loading in DuckDB if applicable; monitor for `INSTALL shellfs` or unexpected use of `read_csv('...|')`
-- Upgrade Grafana to a fixed version (see the official advisory linked below) and review all users with VIEWER+ access
-- Monitor admin API usage and unusual SQL Expression panels/queries
-
-See also
-- For loopback-only panel access: SSH port-forwarding notes in Tunneling and SSH pages
-- For environment secret harvesting and systemd environment vars: Linux Post-Exploitation page
-
-{{#ref}}
-../../generic-hacking/tunneling-and-port-forwarding.md
-{{#endref}}
-
-{{#ref}}
-../../linux-hardening/linux-post-exploitation/README.md
-{{#endref}}
 
 ## References