When Your VPN Opens Your Private Network to the Public | Hacktron AI

Toggle theme Toggle menu

Overview

Jailbreaking PAN-OS VM<br>Mapping Attack Surface<br>Architecture<br>What is CAS?<br>Discovery<br>Getting Certificates<br>Getting CSP ID<br>Exploitation<br>Conclusion<br>Disclosure Timeline<br>References

When Your VPN Opens Your Private Network to the Public<br>rootxharsh

May 20, 2026<br>10 min read

svg]:size-3 gap-1 [&>svg]:pointer-events-none focus-visible:border-ring focus-visible:ring-ring/50 focus-visible:ring-[3px] aria-invalid:ring-destructive/20 dark:aria-invalid:ring-destructive/40 aria-invalid:border-destructive transition-[color,box-shadow] overflow-hidden text-foreground [a&]:hover:bg-accent [a&]:hover:text-accent-foreground"> research

--><br>Jailbreaking PAN-OS VM<br>Mapping Attack Surface<br>Architecture<br>What is CAS?<br>Discovery<br>Getting Certificates<br>Getting CSP ID<br>Exploitation<br>Conclusion<br>Disclosure Timeline<br>References

Hacktron reviews your code and finds real vulnerabilities before they<br>ship to production.

svg]:px-2.5 flex w-full justify-center uppercase">Start for freeStart for free svg]:px-2.5 flex w-full justify-center uppercase">Book a demoBook a demo

While I’m not doing product work at Hacktron, which is like a week in a month, I’ve been using that time to ride the ai-assisted-research wave fascinated by the idea of pushing past what I’d normally do as a web security researcher, things like finding memory corruption bugs and exploiting them in OSS. Another area for me was enterprise apps that come with stripped binaries, and I was curious how I could leverage claude to go beyond and hack some of these. A few enterprise softwares are well known for shipping stripped binaries:

Palo Alto PAN-OS

F5

Fortinet

I started looking into each of them, got a VM running for all. The first challenge was simply jailbreaking the VM to get root access. I sat down with claude opus 4.6 and wandered around until we found a way to get root into the VM while keeping the license valid on AWS. This is one area I found the LLM-assisted approach very useful. Previously this tedious task of setting up the software, jailbreaking etc would take lots of time. While working for httpvoid blog or at projectdiscovery, I’d see myself setting up softwares, finding ways around, hacky ways to get into VMs, etc. I think a lot of researchers would realize how tedious and often boring this process is, though however very important.

Jailbreaking PAN-OS VM

The PAN-OS VM-Series runs as an AWS Marketplace AMI, which attaches a product code to the EBS snapshot. This prevents you from mounting the volume on a regular EC2 instance. To bypass this, Claude created a snapshot of the running PAN-OS instance, then used the EBS Direct APIs to write the blocks into a new snapshot. The new snapshot contains an identical block-level copy of the filesystem but has no product code attached to it. then it created a volume from this clean snapshot, attached it to an EC2 instance, mount it, and woot have full read access to the PAN-OS filesystem. However, this wasn’t enough for proper live env debugging and claude later managed to get direct root on a running instance.. all without supervision from me, it just gave me what all I needed to start hacking..which was cool!

Mapping Attack Surface

After getting the root shell access, my first prompt was to gather all running processes, get all configs, binaries related to them in a local dir, and start mapping out how everything is wired up. So i let claude go do this chore on its own and In the meantime I also started exploring on my own. I was mainly interested in finding attack surface that would affect the GlobalProtect portal, as enterprises don’t keep the PAN-OS management portal exposed, so I was not very interested in it or the PHP attack surface.

While looking into the auth mechanisms that we can attach to the GlobalProtect portal, SAML and CAS struck me as good candidates.

Initially I started working on SAML, as I’m quite familiar with it from hacking Github and Gitlab SAMLs. It was fun to dive into an SAML implementation that’s behind binaries using Ghidra MCP, I assumed it would be tougher to navigate/reverse but a less explored attack surface. I did manage to find interesting things like the use of multiple XML libraries (libxml2, Xerces-C/OpenSAML (OSS)) where some functions were namespace-blind while others weren’t, creating inconsistency. As you might know working on SAML requires everything to align very properly and i figured maybe I should focus on other auth mechanism first and come back to this later. I believe there are bugs to be found here, or maybe Palo Alto team will find them given they have Claude Mythos access..

Architecture

personally, I first like to understand what the architecture is like, what the trust boundaries are, what things talk to what. So after a few hours of poking around the box with claude, here’s the visual chart of how GlobalProtect auth works at a high level:

The sslmgr, authd,...