Starting with an Unauthenticated path-traversal in Grafana leads to SQLite db, revealing MySQL remote access & SSH creds. Registering a service via Consul API for root access using a leaked token obtained through an git commit.
Check detailed blog here.
The old link is broken. You can now use this one. https://elf1337.github.io/ambassador/