Scenario

The SOC team has identified suspicious activity on a web server within the company's intranet. To better understand the situation, they have captured network traffic for analysis. The PCAP file may contain evidence of malicious activities that led to the compromise of the Apache Tomcat web server. Your task is to analyze the PCAP file to understand the scope of the attack.

https://cyberdefenders.org/blueteam-ctf-challenges/tomcat-takeover/

Q1: Given the suspicious activity detected on the web server, the PCAP file reveals a series of requests across various ports, indicating potential scanning behavior. Can you identify the source IP address responsible for initiating these requests on our server?

14.0.0.120

Statistics > ConversationsĀ > tcp

Screenshot 2025-04-15 123032.png

Q1.png

Q2: Based on the identified IP address associated with the attacker, can you identify the country from which the attacker's activities originated?

China

https://ipgeolocation.io/ip-location-api.html

Screenshot 2025-04-15 123132.png