IppSec

HackTheBox - Interpreter

The video walks through the HackTheBox "Interpreter" machine, beginning with an nmap scan that reveals SSH, HTTP, and HTTPS services on a Debian host. By inspecting the web application’s JNLP file, the presenter identifies Mirth Connect 4.4.0 and locates CVE‑2023‑43208, a Java deserialization flaw exploitable via a crafted XML payload. Using the vulnerability, a reverse shell is obtained, the attacker pivots to the server’s filesystem, and extracts the MySQL configuration from mirth.properties. Connecting to the local database yields a PBKDF2‑HMAC‑SHA256 password hash stored in the person_password table. The presenter demonstrates how to parse the Base64‑encoded value, isolate the salt and iteration count, and reformat it for Hashcat mode 10900, enabling offline cracking of the admin credential. Key technical details include the use of a custom templating engine that evaluates triple‑f‑string expressions, the IFS‑based quote‑escaping trick to bypass Java’s quoting restrictions, and the base64‑encoding of the reverse‑shell command to avoid bad characters. The walkthrough also references the Swagger API endpoint, the YSOSerial payload generator, and the specific hash‑mode filters used to locate the correct PBKDF2 variant. The demonstration underscores the danger of unpatched Java applications and insecure custom code paths, showing how a single deserialization bug can lead from remote code execution to full database compromise and credential harvesting. It provides a reproducible methodology valuable for both CTF participants and real‑world penetration testers.