2-Security Office.webp

The server racks are meticulously labeled, but the labels have faded over time and are dust-covered, adding to the challenge of locating the correct equipment. The room is lit by rows of LED lights that cast stark, angular shadows across the banks of servers. Each server's status lights blink in a hypnotic rhythm, punctuating the room's dim ambiance. The walls are lined with diagrams and network maps, slightly yellowed with age and illuminated by the glow of a nearby workstation monitor.

The consistent hum of the cooling systems is interjected by the occasional high-pitched whine of an overworked server. Soft clicks and the whirr of hard drives are constant, as data flows through this nerve center of the power plant. Occasionally, the silence is broken by the sharp beep of an alert from an overlooked system diagnostic running on one of the screens.

The air is cool and dry, typical for maintaining optimal electronic equipment operation, but carries a faint metallic tang of ozone. The floor is a raised grid, allowing cables to be routed beneath, and every step echoes with a hollow thud, adding to the sense of isolation and urgency.

One rack in particular says “Corporate IT” on it. Upon further examination, you recognize the distinct blue color of a Palo Alto firewall – could this be it?

Upon further examination of the workstation, a USB device is plugged in with the tell-tale signs of a serial connection. Following this cable leads back to the Palo Alto you previously identified. Maybe this workstation is already logged into the device?

Bringing the workstation to life by using the mouse, you’re prompted by a locked workstation login. As you try and think about “What might be a good password to try?”, your mind wanders to the re-run of “Terminator 2” that you watched last night – and it hits you. John taught the Terminator that the keys are sometimes hidden in plain sight… could it be that simple?

You flip over the keyboard to reveal a sticky note with “NoFateButWhatWeMake” written on it. Really?

You try the password, and it unlocks the terminal. Amazingly the system is still logged into the Palo management console – and in another browser tab you notice they had the patch for CVE-2024-3400 open – and it looks like they already downloaded the right one. You recognize the PAN-OS is 10.2.7 and know because of some of your recent experience with this particular vulnerability that this firewall is not patched to the current version.

Having access to the PAN-OS and a CLI prompt as well, you check…

grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*

And you are greeted by a bad sign…

{"level":"error","task":"15661-7","time":"2024-04-13T09:57","message":"failed to unmarshal session(.././.././.././.././.././.././.././.././../opt/panlogs/tmp/device_telemetry/minute/'}|{echo,Y3AgL29wdC9wYW5jZmcvbWdtdC9zYXZlZC1jb25maWdzL3J1bm5pbmctY29uZmlnLnhtbCAvdmFyL2FwcHdlYi9zc2x2cG5kb2NzL2dsb2JhbC1wcm90ZWN0L211amVlc3piemdkaGNndXYuY3Nz}|{base64,-d}|bash|{') map , EOF"}

With little choice left, you decide to apply the patch and reboot the firewall.

Question 6: What is the default baud rate for a Palo Alto firewall console port?

CTF sponsored by: