Forum Discussion
CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) – Offensive Question
Hi,
I am stuck on number 8 in this lab which is: What is the value you find in /root/token.txt?
I am having trouble trying to determine what vulnerability to exploit in order to obtain this token.
Can you please provide assistance to me regarding this step?
Regards,
Rocky
RockyRC this is all in the briefing. Admittedly the new layout seems a little clunky (Alot).
The only difference to the briefing is, instead of 'uname' use 'cat /root/token.txt'. X-PAN-AUTHCHECK OFF - no passwords ;)
Using the PHPSESSID it gives you in the response section. We are 'logged in', we can now poke the system to run our command as it doesn't work on its own.We can GET the response of our command in the public folder we defined earlier, either by using Burp or visiting the URL. $IP/unauth/random.php
This is just a range'ism, to get the answer to the question. The fun part is getting the shell and doing as you please. However simple exfiltration.
Let me know if this solution helps.
3 Replies
- CyberSharpe
Silver I
RockyRC this is all in the briefing. Admittedly the new layout seems a little clunky (Alot).
The only difference to the briefing is, instead of 'uname' use 'cat /root/token.txt'. X-PAN-AUTHCHECK OFF - no passwords ;)
Using the PHPSESSID it gives you in the response section. We are 'logged in', we can now poke the system to run our command as it doesn't work on its own.We can GET the response of our command in the public folder we defined earlier, either by using Burp or visiting the URL. $IP/unauth/random.php
This is just a range'ism, to get the answer to the question. The fun part is getting the shell and doing as you please. However simple exfiltration.
Let me know if this solution helps. - RockyRC
Bronze II
CyberSharpe - If though after running: $IP/unauth/random.php, I saw "root" as the answer.
But your solution helped clarify things overall, thank you. - CyberSharpe
Silver I
Happy to assist :)