CVE-2024-0012 and CVE-2024-9474 (Palo Alto PAN-OS) – Offensive Question

RockyRC​ this is all in the briefing. Admittedly the new layout seems a little clunky (Alot).

The only difference to the briefing is, instead of 'uname' use 'cat /root/token.txt'. X-PAN-AUTHCHECK OFF - no passwords ;)

Using the PHPSESSID it gives you in the response section. We are 'logged in', we can now poke the system to run our command as it doesn't work on its own.

We can GET the response of our command in the public folder we defined earlier, either by using Burp or visiting the URL. $IP/unauth/random.php

This is just a range'ism, to get the answer to the question. The fun part is getting the shell and doing as you please. However simple exfiltration.

Let me know if this solution helps.