HackTheBox - Interpreter Writeup
Machine Info
| Property | Value |
|---|---|
| Name | Interpreter |
| OS | Linux (Debian 12) |
| Difficulty | Medium |
| Target IP | 10.129.x.x |
Reconnaissance
Nmap Scan
A full TCP port scan was performed against the target to identify open services:
nmap -sC -sV -p- --min-rate 5000 10.129.x.x
Results:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7
80/tcp open http Jetty
443/tcp open ssl/http Jetty
6661/tcp open unknown
| Port | Service | Details |
|---|---|---|
| 22 | SSH | OpenSSH 9.2p1 Debian 2+deb12u7 |
| 80 | HTTP | Jetty - Mirth Connect Administrator |
| 443 | HTTPS | Jetty - Mirth Connect Administrator (SSL/TLS) |
| 6661 | Unknown | Java-based service (Mirth Connect related) |
Service Enumeration
The HTTP/HTTPS services on ports 80 and 443 both serve the Mirth Connect Administrator web interface. Mirth Connect is an open-source healthcare integration engine used to exchange clinical and administrative data.
The SSL certificate reveals:
- Common Name:
mirth-connect - Supports TLSv1.2 and TLSv1.3
Mirth Connect Version Detection
The Mirth Connect API requires an X-Requested-With header for all requests. Using this, the version was fingerprinted:
curl -sk -H "X-Requested-With: XMLHttpRequest" https://10.129.x.x/api/server/version
Result: 4.4.0
This version is vulnerable to CVE-2023-43208, a pre-authenticated Remote Code Execution (RCE) vulnerability.
Internal Services (discovered post-foothold)
After obtaining an initial shell, internal service enumeration via ss -tlnp revealed:
| Address | Port | Service |
|---|---|---|
| 127.0.0.1 | 3306 | MySQL |
| 127.0.0.1 | 54321 | Internal web service (patient intake) |
| 0.0.0.0 | 6661 | Mirth Connect (Java) |
| 0.0.0.0 | 443 | Mirth Connect HTTPS |
| 0.0.0.0 | 80 | Mirth Connect HTTP |
| 0.0.0.0 | 22 | SSH |
The internal service on port 54321 exposes an /addPatient endpoint that accepts XML input and processes it through a Mirth Connect channel. This channel uses Python-based string formatting, which is vulnerable to Server-Side Template Injection (SSTI) / arbitrary code execution.
Initial Foothold - CVE-2023-43208 (Mirth Connect Pre-Auth RCE)
Vulnerability Overview
CVE-2023-43208 is a pre-authenticated Remote Code Execution vulnerability in NextGen Healthcare Mirth Connect versions prior to 4.4.1. It is a patch bypass of CVE-2023-37679. The vulnerability exists in the way Mirth Connect deserializes Java objects, allowing an unauthenticated attacker to execute arbitrary OS commands on the server.
Exploitation
Step 1: Clone the exploit