Overview
Interpreter is a Medium-difficulty Linux machine centred around Mirth Connect, a widely deployed open-source healthcare integration platform. The machine simulates a realistic attack scenario against a poorly hardened medical software stack.
The attack path:
Exploit CVE-2023-43208 - an unauthenticated RCE in Mirth Connect 4.4.0 - to land a shell as the service user.
Extract database credentials from Mirth's configuration file and query the internal MySQL database to recover a PBKDF2-hashed password.
Crack the hash with hashcat to gain SSH access as user
sedricand capture the user flag.Discover a root-owned Python Flask service (
notif.py) listening locally that useseval()on user-controlled input - abuse this SSTI sink to plant a SUID bash binary and achieve full root compromise.
Reconnaissance
Nmap Port Scan
nmap -sC -sV -T4 -F 10.129.244.184
Starting Nmap 7.98 at 2026-02-23 23:04 +0530
Nmap scan report for 10.129.244.184
Host is up (0.18s latency).
Not shown: 97 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
| 256 07:eb:d1:b1:61:9a:6f:38:08:e0:1e:3e:5b:61:03:b9 (ECDSA)
|_ 256 fc:d5:7a:ca:8c:4f:c1:bd:c7:2f:3a:ef:e1:5e:99:0f (ED25519)
80/tcp open http Jetty
|_http-title: Mirth Connect Administrator
| http-methods:
|_ Potentially risky methods: TRACE
443/tcp open ssl/http Jetty
|_http-title: Mirth Connect Administrator
| ssl-cert: Subject: commonName=mirth-connect
| Not valid before: 2025-09-19T12:50:05
|_Not valid after: 2075-09-19T12:50:05
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Summary of findings:
Port | Service | Notes |
|---|---|---|
22/tcp | OpenSSH 9.2p1 | Debian 12; useful once credentials are obtained |
80/tcp | HTTP (Jetty) | Mirth Connect Administrator panel |
443/tcp | HTTPS (Jetty) | Same app over TLS; self-signed cert for |
The SSL certificate is self-signed with a 50-year validity window (2025–2075), indicative of an internal deployment. Both HTTP and HTTPS expose the Mirth Connect Administrator interface. TRACE method being enabled is a minor misconfiguration worth noting.
WhatWeb Fingerprinting
whatweb -v -a 3 http://10.129.244.184
Status : 200 OK
Title : Mirth Connect Administrator
IP : 10.129.244.184
Summary : Bootstrap[2.0.0], HTML5, JQuery[3.5.1], Script[text/javascript], X-UA-Compatible[IE=edge]
HTTP Headers:
HTTP/1.1 200 OK
Date: Mon, 23 Feb 2026 17:35:21 GMT
Last-Modified: Tue, 18 Jul 2023 17:46:18 GMT
Content-Type: text/html
Content-Length: 2532
Bootstrap 2.0.0 is severely outdated (current is 5.x). The Last-Modified header dating back to July 2023 aligns with the Mirth Connect 4.4.0 release timeframe. No server banner is disclosed - Jetty suppresses it - but the application identity is clear.
Nikto Web Scan
nikto -h http://10.129.244.184
- Nikto v2.5.0
+ Target IP: 10.129.244.184
+ Target Port: 80
+ Start Time: 2026-02-23 23:04:42 (GMT5.5)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ /: The anti-clickjacking X-Frame-Options header is not present.
+ /: The X-Content-Type-Options header is not set.
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, TRACE, OPTIONS
+ /css/: This might be interesting.
+ /webadmin/: This might be interesting.
Missing security headers (X-Frame-Options, X-Content-Type-Options) and an exposed /webadmin/ path confirm the application's minimal security posture. Combined with the version fingerprint, a known CVE is our clear entry point.
🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED
This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.
But you can access the entire premium writeup right now.
🌟 Get Instant Access
Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.
Why Go Premium?
Early access to full detailed writeups
Passwords for active CTF solutions
Advanced exploitation techniques
Upgrade once - unlock everything instantly.
Keep hacking, keep learning, keep winning. 🎯
