# Peering into Grofers' Grafana: My Shodan Encounter

**Hello People**

After a long time, I found one interesting bug in **Grofers** using a simple **Shodan** search. The vulnerability could have allowed an attacker to access the internal API monitoring dashboard of **Grofers**. This is my 2nd report to the **Grofers Security team**.

**What is shodan?**

[Shodan](https://www.shodan.io/), a search engine for all ports within the internet, can help enterprises identify and lock down security vulnerabilities Shodan is the search engine for everything on the internet.

**Exploit Scenario:**

Always my bug bounty journey I will start with shodan search or [crt.sh](https://crt.sh/) (subdomain enumeration). Recently I found a bug on [**Dunzo**](https://infosecwriteups.com/how-i-got-access-dunzo-internal-dashboard-177104e2786f) using `crt.sh`.

Started with simple Shodan dork `ssl:grofers`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708238733454/953f627e-9ef9-480b-9e28-4675ae4191f9.png align="center")

I found multiple hosts related to the **Grofers** domain. But I observed one interesting host. Immediately opened that host and it’s a [**Grafana instance**](https://grafana.com/) login dashboard…

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708238820222/b3b48de4-048e-4a64-a112-e2a30a6c3bf2.png align="center")

But I don’t know the username and password

Entered default username and password like `admin: admin`

But the interesting part here is…when I entered the username & password `admin: admin`, the login page redirected me to the new password page, and got an alert `Logged in`.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708239007247/84365e67-5fcb-4b8e-9c71-ee0619be9993.png align="center")

Then again entered the password as `admin`**.** At the same time, 2 alerts popped up `Invalid or expired reset password` code and `User password changed`

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708239102334/fd9eb6b1-2a76-40cf-aa06-c0e449cce963.png align="center")

The password got updated. I can access the complete Grafana instance.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1708239210338/926d5a0a-2937-4293-80d2-b87d9d3a208f.png align="center")

Then I created a report along with POC and submitted it to **Grofers security team.**

**Report Timeline:**

* **08 Dec 2020** - Reported to Grofers Security Team
    
* **09 Dec 2020** -  First response from the team
    
* **15 Dec 2020** - Issue fixed
    
* **02 Sep 2021** -  Received ₹**25k**Bounty + Hall of fame + Appreciation letter
