I just solved DevHub on Hack the Box!
DevHub Machine Summary
DevHub is a medium difficulty Linux machine on Hack The Box that focuses on modern AI infrastructure security, insecure development tooling, exposed internal services, and abuse of privileged administrative APIs. The machine demonstrates how seemingly isolated developer components can be chained together to achieve complete system compromise, highlighting the risks associated with exposing AI management platforms and weak internal trust boundaries.
The attack chain begins with Nmap enumeration, which reveals SSH and an Nginx web server that redirects users to the devhub.htb virtual host. After performing host configuration, further web enumeration uncovers an externally accessible MCPJam Inspector service running on port 6274 and references to several internal development services.
During MCPJam enumeration, the application version is identified as MCPJam Inspector v1.4.2. Subsequent vulnerability research leads to the discovery of CVE-2026-23744, a public remote code execution vulnerability affecting versions 1.4.2 and earlier. After completing exploit preparation, the public proof-of-concept is weaponized, resulting in initial access as the mcp-dev user through a reverse shell.
With a foothold established, extensive internal service enumeration reveals an internal OPSMCP API listening on port 5000, while credential enumeration uncovers a hardcoded Jupyter authentication token embedded inside a systemd service file. Further Jupyter authentication, user enumeration, and internal port enumeration confirm the presence of a locally accessible Jupyter Lab instance running under the analyst account.
To establish a stable foothold, SSH key generation, SSH key preparation, SSH persistence, and SSH access are used to replace the temporary reverse shell with reliable key-based authentication. Using port forwarding, the internal Jupyter service is exposed locally, allowing successful Jupyter Lab authentication with the recovered token. Launching a built-in terminal grants Jupyter terminal access as the analyst user, leading to the capture of the user flag.
The final stage revolves around abusing the internal management API. By leveraging the recovered OPSMCP API key, OPSMCP API abuse is performed through a hidden administrative function that exposes emergency recovery credentials. Through SSH key recovery, a root private key is extracted, saved locally, and used to authenticate directly to the target. Successful root access is achieved via SSH, allowing retrieval of the root flag and full compromise of the machine.
Overall, DevHub is an excellent demonstration of how exposed developer tools, insecure internal APIs, leaked credentials, and poor trust separation between AI infrastructure components can be combined into a realistic and highly effective attack chain from initial access to root.
Protected Page
Keywords:
devarea htb walkthrough
Hack the Box Season 11 machine complete write up
DevHub htb writeup
DevHub htb walkthrough
DevHub Hack the Box Write Up
DevHub Hack the Box Walkthrough
devhub.htb season 11 HackTheBox machine
DevHub HackTheBox Writeup
DevHub HackTheBox Walkthrough
HackTheBox devhub machine complete writeup solution
I just solved DevHub from Hack the Box
Pwned DevHub from Hack the Box
Rooted DevHub from Hack the Box
Owned DevHub from Hack the Box
devhub.htb
reactor.htb
Reactor HackTheBox
reactor htb walkthrough
reactor htb writeup
Reactor Hack the Box Writeup
Reactor Hack the Box Walkthrough
reactor HackTheBox machine Season 11 HTB write up
I just solved Reactor from Hack the Box
Rooted Reactor from Hack the Box
Owned Reactor from Hack the Box
Pwned Reactor from Hack the Box
helix.htb HackTheBox Season 11 HTB machines
helix htb writeup
helix htb walkthrough
helix hack the box writeup
Helix Hack the Box Walkthrough
I just solved Helix from Hack the Box
Rooted Helix from Hack the Box
Owned Helix from Hack the Box
smarthire.htb
smarthire HackTheBox
HackTheBox SmartHire Season 11 HTB Machine
smarthire htb write up
smarthire htb walkthrough
smarthire htb writeup
smarthire hack the box writeup
smarthire hack the box walkthrough
I just solved smarthire from Hack the Box
Rooted smarthire from Hack the Box
Pwned smarthire from Hack the Box
Rooted SmartHire from Hack the Box
models.smarthire.htb
pingpong.htb
pong.htb
ping.htb
pingpong HackTheBox
pingpong htb write up
pingpong htb walkthrough
pingpong hack the box writeup
pingpong hack the box walkthrough
PingPong HTB Season 10 Machine Walkthrough
I just solved pingpong from Hack the Box
Rooted PingPong from Hack the Box
Owned PingPong from Hack the Box
Pwned PingPong from Hack the Box
logging.htb
logging HackTheBox
logging htb writeup
logging htb walkthrough
logging hack the box write up
logging hack the box walkthrough
I just solved Logging from Hack the Box
Rooted Logging from Hack the Box
Owned Logging from Hack the Box
Pwned Logging from Hack the Box
Logging HackTheBox Season 10 Machine Walkthrough
silentium.htb
silentium HackTheBox
silentium htb writeup
silentium htb walkthrough
silentium hack the box write up
silentium hack the box walkthrough
Silentium HackTheBox Season 10 Machine Walkthrough
I just solved Silentium from Hack the Box!
Rooted Silentium from Hack the Box
Owned Silentium from Hack the Box
Pwned Silentium from Hack the Box!
1 Comments
To current members, the password to access this encrypted page and other pages has been sent to your email address. If you haven't received it yet, reach out to me at isiaqibrahim.tr@gmail.com
ReplyDeleteNote: This write up includes the complete code blocks and commands. The password for each write up is different. I have sent the password to your inbox on Buy Me A Coffee.
Happy Hacking!!!😈😈