Forum Discussion

RockyRC's avatar
RockyRC
Icon for Bronze II rankBronze II
24 days ago
Solved

CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) – Offensive Question

Hi,

I am stuck on number 8 in this lab which is: What is the value you find in /root/token.txt?
I am having trouble trying to determine what vulnerability to exploit in order to obtain this token.

Can you please provide assistance to me regarding this step?

Regards,

Rocky

  • RockyRC​ this is all in the briefing. Admittedly the new layout seems a little clunky (Alot).

    The only difference to the briefing is, instead of 'uname' use 'cat /root/token.txt'. X-PAN-AUTHCHECK OFF - no passwords ;)


    Using the PHPSESSID it gives you in the response section. We are 'logged in', we can now poke the system to run our command as it doesn't work on its own.

    We can GET the response of our command in the public folder we defined earlier, either by using Burp or visiting the URL. $IP/unauth/random.php

    This is just a range'ism, to get the answer to the question. The fun part is getting the shell and doing as you please. However simple exfiltration.

    Let me know if this solution helps.

3 Replies

  • RockyRC​ this is all in the briefing. Admittedly the new layout seems a little clunky (Alot).

    The only difference to the briefing is, instead of 'uname' use 'cat /root/token.txt'. X-PAN-AUTHCHECK OFF - no passwords ;)


    Using the PHPSESSID it gives you in the response section. We are 'logged in', we can now poke the system to run our command as it doesn't work on its own.

    We can GET the response of our command in the public folder we defined earlier, either by using Burp or visiting the URL. $IP/unauth/random.php

    This is just a range'ism, to get the answer to the question. The fun part is getting the shell and doing as you please. However simple exfiltration.

    Let me know if this solution helps.

  • CyberSharpe​ - If though after running: $IP/unauth/random.php, I saw "root" as the answer.
    But your solution helped clarify things overall, thank you.