Web
Nmap discovered a web server on the target port 80
The running service is Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
Webroot
It’s the web application for the PRTG Network Monitor
Authentication
Attempting to authenticate to the web application using the credential found fails
I tried again by changing the password to PrTg@dmin2019 and it worked.
It somewhat make sense considering that the credential was found in the older configuration backup file, which was made in the year 2018
The later configuration file was last modified in the year 2019
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/netmon]
└─$ searchsploit PRTG
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution | windows/webapps/46527.sh
PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS | windows/webapps/49156.txt
PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service) | windows_x86/dos/44500.py
PRTG Traffic Grapher 6.2.1 - 'url' Cross-Site Scripting | java/webapps/34108.txt
------------------------------------------------------------------------------ ---------------------------------
shellcodes: No Results
papers: No ResultsSearching for exploits on the local Exploit-DB shows an authenticated RCE
Although it targets the version 18.2.38, the target web application is likely vulnerable as it is fairly close; 18.1.37.13946
the bash script itself targets [[netmon_cve-2018-9276#cve-2018-9276|CVE-2018-9276]]