HTB - DevHub

Sat, 30 May 2026 00:00:00 +0000

Difficulty: Medium | OS: Linux

Logo & Name Analysis - First Impressions Link to heading

Before touching a single tool, the machine logo and name already give away a significant amount of information to an experienced player.

The Logo Link to heading

The machine logo shows a caged beast with red glowing eyes trapped behind bars. On HackTheBox, machine logos almost always hint directly at the technology or theme involved.

What the logo tells us immediately:

Caged beast behind bars: A system designed to restrict access, block unsafe operations, or confine environments (sandboxing / containerization).
Red glowing eyes: A powerful or potentially dangerous interface that is supposed to be fully locked down, but might have vulnerabilities in its containment.
Caged element: An environment escape (sandbox escape) or a container escape scenario.

The Name Link to heading

"DevHub" combined with the logo points toward:

A centralized developer platform or gateway (like GitLab, JupyterHub, or a custom tool manager) that coordinates multiple services.
An environment where developers deploy models, notebooks, or scripts, pointing directly to development-centric protocols like Model Context Protocol (MCP) or Jupyter.

The Instant Hypothesis Link to heading

Combining name and logo before even running nmap:

"This is a developer platform (DevHub) managing internal development or model tools. The caged beast suggests containerization, sandboxing, or restricted environments that we must escape. The primary attack vector will likely involve exploiting development utilities or container/sandbox escape vulnerabilities."

This hypothesis is confirmed within minutes of enumeration, revealing an exposed Model Context Protocol (MCP) debugger and Jupyter notebook.

HTB - Kobold

Sun, 05 Apr 2026 00:00:00 +0000

Field	Value
Difficulty	Easy
OS	Linux (Ubuntu)
CVE	CVE-2026-23744
Tags	`docker` `gshadow` `lfi` `mcp` `mcpjam` `pastebin` `path-traversal` `rce`

Kobold is a Linux easy box featuring a multi-service web application behind nginx with HTTPS and wildcard virtual hosting. Initial access requires exploiting CVE-2026-23744 - an unauthenticated RCE in MCPJam Inspector - by sending a crafted JSON payload to /api/mcp/connect to execute arbitrary commands. Privilege escalation abuses a discrepancy between /etc/gshadow and the running session, allowing the sg command to switch into the docker group and mount the host filesystem inside a container.