{
"path": "/blog/htb-writeup-interpreter",
"site": "at://did:plc:5fyfskntvw6jltxmdu2we7nw/site.standard.publication/3mdro5atvvd2o",
"tags": [
"ctf"
],
"$type": "site.standard.document",
"title": "HTB Writeup - Interpreter",
"bskyPostRef": {
"cid": "bafyreidgvvk3xanju66qdh4x26gl6r2q6qh6ipb2zow3mjg26gjtyybkiq",
"uri": "at://did:plc:5fyfskntvw6jltxmdu2we7nw/app.bsky.feed.post/3mgdz3ofbow2x"
},
"description": "A medium rated Linux machine running Healthcare software",
"publishedAt": "2026-03-05T00:00:00.000Z",
"textContent": "Interpreter is a medium rated Linux machine running healthcare software.\n\nStarting off with a scan as usual, and we get some interesting ports.\n\nI start by taking a look at the webpage, which is running something called Mirth Connect, which appears to be an opensource healthcare program, a pretty neat software I didn't know existed. I also did some research on port 6661, where I discovered Health Level 7 (HL7), a standardized health information exchange protocol used for healhtcare services to interact with each other. Again, I had no idea this existed, so this was a neat thing to learn about.\n\nNotice the 2021 copyright notice at the bottom of the image, I'm expecting we'll find a good CVSS 9.5+ vulnerability.\n\nLook's like I was right, CVE-2023-43208 is a critical unauthenticated remote code execution vulnerability. It's an easily exploitable deserialization vulnerability. Thanks to its age, there were plenty of PoCs available for use. I grabbed a script from online, but had to play around with the XML escaping for a little before I got my command to run. Eventually, I had a socat reverse shell as the user mirth.\n\nPost Exploitation\n\nI ran linpeas while investigating accesible directories, getting two valuable findings.\n- A script called notify.py running as root and listening on port 54321\n- DB credentials in mirth.properties\n \n\nAfter checking some tables, I found an entry in channels called INTERPRETER - HL7 TO XML TO NOTIFY. Finding the CTF name somewhere is, of course, always a good sign. A channel in Mirth Connect appears to be a way to allow communication between multiple services, with the usecase here being to reformat HL7 messages into XML that is sent to notify.py.\n\nAnother table contained the channel's configuration, which gave me the info needed to forge our own requests:\n\nA message with the XML above would respond with Patient Fake Name (M), 26 years old, received from TEST_APP at 20260228120000\n\nI wrote a quick script on the server that would take base64-encoded XML as input, decode it, then send it to http://127.0.0.1:54321/addPatient. When it recieves a valid message, it responds with a sentence about the This was just to let me quickly test payloads without spinning up a proxy. After trying many likely injection paylods for an interpreter written in python, I eventually found that data inside { } was evalutated. I tried simply using open('/root/root.txt').read(), but this caused the request to fail. The interpreter had a check for interpreted blocks containing /. The easiest way around this was just replacing them with chr(47).\n\nHere were my final payloads, which responded with the user and root flags:",
"canonicalUrl": "https://quasigod.xyz/blog/htb-writeup-interpreter"
}