π― Objective: Exploit PRTG Network Monitor's command injection vulnerability (CVE-2018-9276) for authenticated remote code execution through notification system abuse.
Overview
PRTG Network Monitor is an agentless network monitoring software running on Windows. Common ports: 80, 443, 8080. Vulnerable versions < 18.2.39 suffer from authenticated command injection in notification parameters.
HTB Academy Lab Solutions
Lab 1: Version Discovery
Question: "What version of PRTG is running on the target?"
# Nmap service detectionnmap-A-PnSTMIP# Result shows:# 8080/tcp open http Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)# |_http-server-header: PRTG/18.1.37.13946
Answer:18.1.37.13946
Lab 2: RCE via Command Injection
Question: "Attack the PRTG target and gain remote code execution. Submit the contents of the flag.txt file on the administrator Desktop."
Step 1: Access PRTG Interface
Step 2: Create Malicious Notification
Setup β Account Settings β Notifications
Add new notification (name: any)
Enable "Execute Program"
Program File:Demo exe notification - outfile.ps1
Parameter:
Save notification
Step 3: Execute Command Injection
Click Test button to trigger notification
Command executes: creates user + adds to administrators
Step 4: Verify Access
Step 5: Remote Access & Flag
Answer:WhOs3_m0nit0ring_wH0?
Attack Summary
Vulnerability: CVE-2018-9276 - Authenticated Command Injection
Method: Notification parameter injection β PowerShell execution
Requirements: Valid PRTG credentials
Impact: Full system compromise with administrative privileges
π‘ Key Point: PRTG notification system directly passes parameters to PowerShell without sanitization, enabling arbitrary command execution.