ADSelfService is a very easy difficulty machine from HTB that features an authentication bypass and RCE vulnerability in Manage Engineโs ADSelfService Plus .
nmap -sV -sC 10.129.227.78 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-07-14 00:06 EDT Nmap scan report for 10.129.227.78 Host is up (0.014s latency). Not shown: 988 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 53/tcp open domain Simple DNS Plus 80/tcp open http |_http-title: Site doesn't have a title (text/html;charset=UTF-8). | fingerprint-strings: | GetRequest: | HTTP/1.1 200 OK | Cache-Control: private | Expires: Thu, 01 Jan 1970 00:00:00 GMT | Set-Cookie: JSESSIONIDADSSP=7AE00B7C2F0558D7378863606D698972; Path=/; HttpOnly | Content-Type: text/html;charset=UTF-8 | Content-Length: 259 | Date: Sun, 14 Jul 2024 07:58:47 GMT | Connection: close | <!-- $Id$ --> | <html> | <head> | <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE"> | <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> | <META HTTP-EQUIV="Expires" CONTENT="0"> | <script> | location.href = 'showLogin.cc' + location.search; | </script> | </head> | </html> | HTTPOptions: | HTTP/1.1 405 Method Not Allowed | Cache-Control: private | Expires: Thu, 01 Jan 1970 00:00:00 GMT | Content-Length: 0 | Date: Sun, 14 Jul 2024 07:58:47 GMT | Connection: close | RTSPRequest: | HTTP/1.1 400 Bad Request | Content-Type: text/html;charset=utf-8 | Content-Language: en | Content-Length: 1897 | Date: Sun, 14 Jul 2024 07:58:47 GMT | Connection: close | <!doctype html><html lang="en"><head><title>HTTP Status 400 | Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 |_ Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol [RTSP/1.00x0d0x0a0x0d...]</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, i 88/tcp open kerberos-sec Microsoft Windows Kerberos (server time: 2024-07-14 07:58:47Z) 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 389/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: panda.htb, Site: Default-First-Site-Name) 445/tcp open microsoft-ds Windows Server 2016 Standard 14393 microsoft-ds (workgroup: PANDA) 464/tcp open kpasswd5? 593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0 636/tcp open tcpwrapped 3268/tcp open ldap Microsoft Windows Active Directory LDAP (Domain: panda.htb, Site: Default-First-Site-Name) 3269/tcp open tcpwrapped
I checked for anonymous LDAP or SMB as a quick win, but didnโt find anything.
Checking out the website, we see a login page for ADSelfService Plus
I didnโt see any indication of the version, but there is a copyright notice on the page from 2021.
Considering this is a very easy box, I searched for CVE POCโs from 2021 for ADSelfService Plus to try, and found CVE-2021-40539 , allowing for authentication bypass and code execution.
๐ Exploitation
I ran the POC against the target and was able to successfully upload a JSP webshell, which ran as NT AUTHORITY\SYSTEM.
Afterward, I ran a base64 encoded PowerShell reverse shell to get a shell running as SYSTEM, which I used to grab the user and root flags.