Pentesting PRTG Network Monitor
PRTG Network Monitor is agentless network monitor software. It can be used to monitor bandwidth usage, uptime and collect statistics from various hosts, including routers, switches, servers, and more. The first version of PRTG was released in 2003.
We can quickly discover PRTG from an Nmap scan. It can typically be found on common web ports such as 80, 443, or 8080.
Default credentials
prtgadmin:prtgadmin
We can try to fuzz them as well, as we may find:
prtgadmin:Password123
Version
In the Login page footer. Also:
RCE
CVE-2018-9276 which is an authenticated command injection in the PRTG System Administrator web console for PRTG Network Monitor before version 18.2.39.
PRTG < 18.2.39 Command Injection Vulnerability
Blog explaining the how-to of the discover: https://codewatch.org/2018/06/25/prtg-18-2-39-command-injection-vulnerability/
Steps:
1. To begin, mouse over Setup in the top right and then the Account Settings menu and finally click on Notifications.
2. Next, click on Add new notification.
3. Give the notification a name and scroll down and tick the box next to EXECUTE PROGRAM. Under Program File, select Demo exe notification - outfile.ps1 from the drop-down. Finally, in the parameter field, enter a command. For our purposes, we will add a new local admin user by entering
4. After clicking Save, we will be redirected to the Notifications page and see our new notification named pwn in the list.
5. Click the Test button to run our notification and execute the command to add a local admin user. After clicking Test we will get a pop-up that says EXE notification is queued up.
6. Since this is a blind command execution, we won't get any feedback, so we'd have to either check our listener for a connection back or, in our case, check to see if we can authenticate to the host as a local admin.
7. Use crackmapexec / WinRM / RDP / EvilWinRm / impacket toolkit such as wmiexec.py or psexec.py to confirm local admin access.
Last update: 2025-02-07 Created: February 7, 2025 22:46:37