https://z3r0s6.github.io/tags/cve-2023-43208/Recent content in CVE-2023-43208 on z3r0sHugoenSun, 29 Mar 2026 00:00:00 +0000https://z3r0s6.github.io/machines/interpreter/Sun, 29 Mar 2026 00:00:00 +0000https://z3r0s6.github.io/machines/interpreter/<table> <thead> <tr> <th>Field</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td>Difficulty</td> <td>Medium</td> </tr> <tr> <td>OS</td> <td>Linux (Debian 12)</td> </tr> <tr> <td>CVEs</td> <td>CVE-2023-43208 · CVE-2023-37679</td> </tr> </tbody> </table> <hr> <h2 id="summary"> Summary <a class="heading-link" href="#summary"> <i class="fa-solid fa-link" aria-hidden="true" title="Link to heading"></i> <span class="sr-only">Link to heading</span> </a> </h2> <p>Interpreter is a Medium-difficulty Linux machine centred around <strong>Mirth Connect 4.4.0</strong>, a widely-deployed open-source healthcare integration engine. The attack chain exploits <strong>CVE-2023-43208</strong> - an unauthenticated pre-auth RCE via XStream deserialization - to gain an initial shell as the service user. Database credentials extracted from Mirth's config file lead to a PBKDF2-hashed password in the internal MySQL/PostgreSQL database. After cracking the hash offline with hashcat, SSH access is gained as user <code>sedric</code>. A locally-bound Python Flask service (<code>notif.py</code>) running as root exposes an <code>eval()</code> sink vulnerable to SSTI, which is abused to plant a SUID bash binary and achieve full root compromise.</p>