From nmap, there are 3 ports opened.

Local Picture

This is the web page on port 8500.

Local Picture

If we click the folder CFIDE/, we will be brought to this administrator login page.

Local Picture

I search coldfusion in msf, use the module windows/http/coldfusion_fckeditor and run with burp suite. It seems that we successfully upload a .jsp reverse shell.

Local Picture

The file is indeed uploaded.

Local Picture

And we can get a reverse shell as ARCTIC\tolis

Local Picture

I use the module post/multi/recon/local_exploit_suggester, and choose the one started with ms10_092, and now, we are NT AUTHORITY\SYSTEM.

Local Picture