Interpreter — HackTheBox Writeup (Linux, Medium)

Attack Chain Summary

CVE-2023-43208 (RCE) → mirth shell
        ↓
DB creds in mirth.properties → PBKDF2 hash extraction
        ↓
Python cracker → SSH as sedric
        ↓
HL7 MLLP channel analysis → SSTI in notif.py → root shell

Date: March 21, 2026 | Difficulty: Medium | OS: Linux

1. Reconnaissance

Port Scanning

I started with a full port scan using RustScan followed by Nmap for service detection.

rustscan -a 10.129.244.184 -r 1-65535
nmap -sC -sV 10.129.244.184 -p22,80,443 -Pn

The initial Nmap scan without -Pn showed the host as down because the target was blocking ICMP ping probes. Adding -Pn forced Nmap to skip host discovery and scan directly, revealing the open ports.

Open ports:

• 22 — SSH
• 80 — HTTP
• 443 — HTTPS

Web Enumeration

Visiting port 80 via curl revealed a Mirth Connect Administrator login page — a Java-based healthcare integration engine by NextGen Healthcare.

I downloaded the webstart.jnlp file from the target and inspected it:

head webstart.jnlp

This confirmed the version:

<jnlp codebase="https://10.129.244.184:443" version="4.4.0">

I also verified the version directly via the Mirth REST API. The first attempt failed because I forgot the required header:

# Failed — missing required header
curl https://10.129.244.184/api/server/version -k
# HTTP ERROR 400: All requests must have 'X-Requested-With' header

# Correct request
curl -k -H 'X-Requested-With: OpenAPI' https://10.129.244.184:443/api/server/version
# Response: 4.4.0

Mirth Connect 4.4.0 is vulnerable to CVE-2023-43208.