Pentest Notes
  • 🏠/home/x3m1Sec/.pt-notes
  • πŸ“Pentest Notes
    • πŸ”Information Gathering
    • πŸ“œProtocols and Services
      • DNS
      • FTP
      • IMAP
      • IPMI
      • MSSQL
      • MySQL
      • NFS
      • Oracle TNS
      • POP3
      • RDP
      • SMB
      • SMTP
      • SNMP
    • πŸ•ΈοΈWeb Applications
      • Web Attacks
        • Cross Site Scripting (XSS)
        • SQL Injection (SQLi)
        • File Upload Vulnerabilities
        • Insecure Direct Object References (IDOR)
        • OS Command Injection
        • Local File Inclusion (LFI)
        • Remote File Inclusion (RFI)
        • XML External Entities (XXE)
        • HTTP Verb Tampering
      • Web Technologies
        • Tomcat
        • CGI Applications
        • WordPress
        • SAP Netweaver
        • Joomla
        • Drupal
        • Gitlab
        • Jenkins
        • Microsoft IIS
        • osTicket
        • PRTG Network Monitor
        • Splunk
      • Fuzzing
    • πŸ“‚Active Directory
      • Initial Access
      • Internal Enumeration & Lateral Movement
      • Privilege Escalation to Domain Admin using Known Exploits
      • Domain Trusts
    • 🐧Linux Privilege Escalation
      • Enumerating Attack Vectors
      • Privileged Groups
      • Environment Variables Abuse
      • Capabilities Abuse
      • Programs, Jobs and Services
      • Miscellaneous Techniques
      • Recent CVEs
    • πŸͺŸWindows Privilege Escalation
      • Enumerating Attack Vectors
      • Excessive User Rights Abuse
      • Built-in Groups Abuse
      • File System ACLs
      • Services Hijacking
      • User Account Control (UAC) Bypass
      • Living off the Land
    • πŸ›Bug Bounty Hunting
      • Bug Bounty Tools
    • πŸ‘ΎUtilities, Scripts and Payloads
      • Shells and Payloads
      • Metasploit Framework
      • File Transfers
      • Pivoting, Tunneling, Port Forwarding
      • Password Attacks
  • πŸŽ“My Certifications
    • eJPTv2
      • My review
    • CPTS
      • CheatSheet
Powered by GitBook
On this page
  • Introduction
  • PRTG Network Monitor Authenticated RCE [CVE-2018-9276]
  1. Pentest Notes
  2. Web Applications
  3. Web Technologies

PRTG Network Monitor

PreviousosTicketNextSplunk

Last updated 13 days ago

Introduction

  • Network monitor software, prevalent in internal networks

  • Typical ports: 80, 443, 8080

  • Default credentials: prtgadmin:prtgadmin

PRTG Network Monitor Authenticated RCE [CVE-2018-9276]

  • Affected versions: versions prior to 18.2.39

  • Resources: and

  • Description: When creating a new notification, the Parameter field is passed directly into a PowerShell script without any type of input sanitization

  • Steps to reproduce:

    1. Login β†’ Setup β†’ Account Settings menu β†’ Notifications β†’ Add new notification

    2. Give the notification a name

    3. Scroll down and tick the box next to EXECUTE PROGRAM

    4. Under Program File, select Demo exe notification - outfile.ps1 from the drop-down.

    5. In the parameter field, enter a command.

    6. Example - add a new local admin user:

    7. test.txt;net user prtgadm1 Pwn3d_by_PRTG! /add;net localgroup administrators prtgadm1 /add

    8. After clicking Save, we will be redirected to the Notifications page and see our new notification named pwn in the list.

    9. Click on Test or Run to xecute the notification and run the command

πŸ“
πŸ•ΈοΈ
https://nvd.nist.gov/vuln/detail/CVE-2018-9276
https://www.codewatch.org/blog/?p=453