Port 8500
Nmap discovered that the port 8500 is open and listening for connection, but wasn’t able to identify the service
┌──(kali㉿kali)-[~/archive/htb/labs/arctic]
└─$ nc -nv $IP 8500
(UNKNOWN) [10.10.10.11] 8500 (?) openAs expected, connecting to the port 8500 doesn’t return anything. Otherwise, Nmap would have recorded it
But navigating to it via a web browser shows 2 sub directories
/cfide/ and /cfdocs/ are likely related to coldfusion, a web application development platform created by Adobe
CFIDE stands for “ColdFusion Administrator and Integrated Development Environment” and is used for managing and configuring ColdFusion applications cfdocs stands for “ColdFusion documentation” and contains documentation for the platform.
The application is likely a ColdFusion web application. The /CFIDE/ directory is the default location for ColdFusion Administrator
ColdFusion
Upon heading over to the /CFIDE/ directory, it revealed a list of files/sub-directories.
The /CFIDE/Administrator/ directory is where the GUI Administrator panel is.
The /CFIDE/Administrator/ directory showed a login page.
It also contains the version information.
Coldfusion 8
┌──(kali㉿kali)-[~/archive/htb/labs/arctic]
└─$ searchsploit Adobe ColdFusion 8
------------------------------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------ ---------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting | cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal | multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit) | multiple/remote/16985.rb
Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE) | windows/remote/50781.txt
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution | windows/remote/43993.py
Adobe ColdFusion 2018 - Arbitrary File Upload | multiple/webapps/45979.txt
Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting | cfm/webapps/29567.txt
Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities | cfm/webapps/36172.txt
Adobe ColdFusion 8 - Remote Command Execution (RCE) | cfm/webapps/50057.py
Adobe ColdFusion 9 - Administrative Authentication Bypass | windows/webapps/27755.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit) | multiple/remote/30210.rb
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection | multiple/webapps/40346.py
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit) | multiple/remote/24946.rb
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting | cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site | cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scriptin | cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting | cfm/webapps/33168.txt
------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
Papers: No ResultsColdFusion 8 is vulnerable to RCE
Moving over to Exploitation phase