Interpreter HackTheBox Writeup - Season10
SUMMARY
This write-up covers the Mirth machine from HackTheBox Season 10. Initial web enumeration revealed a Mirth Connect login panel. By downloading the Windows binary directly from the panel, the exact version was fingerprinted and confirmed vulnerable to CVE-2023-43208, a critical Remote Code Execution vulnerability that granted initial access to the system as the mirth user.
Enumerating the Mirth Connect installation directory exposed a configuration file containing plaintext database credentials. These credentials provided access to the backend database, where a password hash for the user sedric was recovered. Standard hash cracking failed because Mirth Connect stores administrator credentials using PBKDF2 with HMAC-SHA256.
As sedric, process enumeration revealed a Python script executing as root. Reviewing the script uncovered an internal service listening on port 54321, exposing an /addPatient endpoint that accepted an XML structure with multiple parameters. Critically, the script used Python’s eval() function, creating an RCE opportunity. Despite regex-based input filtering, the restriction was bypassed achieving full root access.
PATH TO FOLLOW
- Web Enumeration & Mirth Connect Discovery
- Version Fingerprinting via Binary Download
- Exploiting CVE-2023-43208 (RCE)
- Initial Access as mirth
- Config File Enumeration & Database Credential Extraction
- Database Access & Hash Recovery
- Cracking PBKDF2-HMAC-SHA256 Hash
- Lateral Movement
- Process Enumeration & Internal Service Discovery
- XML Endpoint Analysis & eval() Identification
- Regex Bypass
- Privilege Escalation via C Binary
CONTENT WILL BE RELEASED ONCE THE MACHINE IS RETIRED