DevHub
HackTheBox DevHub machine writeup — reconnaissance and enumeration walkthrough.
Executive Summary
DevHub exposed an externally reachable MCPJam Inspector instance on TCP/6274, alongside a standard web service on TCP/80 and SSH on TCP/22. Version identification on the inspector showed MCPJam v1.4.2, which matched a known remote code execution issue leveraged to obtain initial access as the mcp-dev user. Post-exploitation enumeration revealed an internal JupyterLab instance bound to 127.0.0.1:8888 and a root-owned local API service on 127.0.0.1:5000, which together enabled privilege escalation from mcp-dev to analyst and then to root.
The compromise path was:
- Enumerate exposed services and fingerprint MCPJam.
- Exploit MCPJam Inspector v1.4.2 for RCE and obtain a shell as
mcp-dev. - Discover JupyterLab running locally under the
analystaccount and recover its access token from the process list. - Use a reverse port forward with Chisel to access JupyterLab reliably in a browser because direct internal API/WebSocket interaction was blocked by token/XSRF protections.
- Execute notebook code as
analystto gain a reverse shell and capture the user flag. - Query a root-owned local management service with the
opsmcpAPI key to dump the root SSH private key. - Authenticate locally as
rootwith the recovered key and read the root flag.
Scope and Target
| Item | Value |
|---|---|
| Target host | 10.129.6.77 / devhub.htb |
| Primary exposed services | 22/tcp SSH, 80/tcp HTTP, 6274/tcp MCPJam Inspector |
| Initial foothold | mcp-dev via MCPJam RCE |
| Intermediate user | analyst via Jupyter notebook code execution |
| Privilege escalation | Hidden ops._admin_dump API action returning root SSH key |
Methodology
The attack followed a practical chain of external enumeration, application exploitation, internal service discovery, authenticated notebook execution, and local privilege escalation. Several dead ends appeared during the Jupyter phase, particularly around raw WebSocket interaction, missing Python modules, and strict XSRF enforcement, but these attempts were useful because they confirmed the internal service behavior and justified pivoting to browser-based access through Chisel.
Reconnaissance
Host discovery and initial scan
The first step was to add the target hostname locally and perform a full TCP scan to discover exposed services.
1
2
echo "10.129.6.77 devhub.htb" | sudo tee -a /etc/hosts
sudo nmap -sCV -T4 -p- --min-rate 5000 -oA devhubfull 10.129.6.77
This identified three externally reachable TCP services: SSH on 22, HTTP on 80, and an unknown service on 6274. The HTTP service presented as DevHub - Internal Development Platform, while the unknown service returned HTML consistent with MCPJam Inspector.
MCPJam fingerprinting
The port 6274 response contained a browser application titled MCPJam Inspector, which indicated an exposed Model Context Protocol debugging interface. The supplemental notes identified the version as MCPJam v1.4.2, and explicitly tied versions 1.4.2 and earlier to CVE-2026-23744, an RCE flaw in the inspector when listening on 0.0.0.0.
This mattered because an inspector endpoint is intended for local development and testing, not internet exposure. Once externally reachable, it effectively became a code-execution surface against the host.
Premium Content
The full exploitation walkthrough, privilege escalation, and flags are available exclusively for members.
Unlock Full Writeup →