Executive Summary

Kobold is a medium-difficulty Linux machine that demonstrates a realistic attack chain involving modern AI tooling misconfigurations and container security failures. The engagement begins with reconnaissance revealing multiple web services including an MCPJam Inspector endpoint vulnerable to unauthenticated Remote Code Execution (CVE-2026-23744). After obtaining an initial shell as user ben, enumeration reveals the user possesses a dormant Docker group membership that - when activated via newgrp docker - provides full root access through a container escape technique, mounting the host filesystem into a privileged container.

Table of Contents

1. Environment Setup
2. Reconnaissance
   2.1 - Port Scanning
   2.2 - Service Enumeration
   2.3 - Virtual Host Discovery
3. Initial Access - CVE-2026-23744
   3.1 - Vulnerability Research
   3.2 - Exploit Development
   3.3 - Shell Acquisition
   3.4 - Shell Stabilization
4. Post-Exploitation Enumeration
   4.1 - User Context
   4.2 - Network Services
   4.3 - Running Processes
   4.4 - File System Analysis
   4.5 - Group Membership Analysis
5. Privilege Escalation - Docker Group Abuse
   5.1 - Activating Docker Group
   5.2 - Container Verification
   5.3 - Container Escape
   5.4 - Flag Capture
6. Vulnerability Summary
7. Remediation Recommendations

1. Environment Setup

Before beginning enumeration, configure the local /etc/hosts file to resolve the target's virtual hostnames. The SSL certificate discovered during scanning reveals wildcard SAN coverage for *.kobold.htb, indicating multiple subdomains are in use.

sudo nano /etc/hosts

Add the following line:

10.129.12.219   kobold.htb mcp.kobold.htb bin.kobold.htb

Create a dedicated working directory to keep all output organized:

mkdir -p ~/htb/kobold/{nmap,web,loot}
cd ~/htb/kobold

Set the target IP as a variable for convenience throughout the engagement:

export TARGET=10.129.12.219
export LHOST=10.10.14.209

2. Reconnaissance

2.1 - Port Scanning

Begin with a comprehensive Nmap scan covering all 65535 ports with service detection, default scripts, and version enumeration:

nmap -sC -sV -p- -T4 --min-rate 5000 -oA nmap/kobold_full $TARGET

Full Scan Output:

Starting Nmap 7.98 at 2026-03-22 23:34 +0530

PORT     STATE  SERVICE   VERSION
22/tcp   open   ssh       OpenSSH 9.6p1 Ubuntu 3ubuntu13.15
                          | ssh-hostkey:
                          |   256 8c:45:12:36:03:61:de:0f:0b:2b:c3:9b:2a:92:59:a1 (ECDSA)
                          |_  256 d2:3c:bf:ed:55:4a:52:13:b5:34:d2:fb:8f:e4:93:bd (ED25519)

80/tcp   open   http      nginx 1.24.0 (Ubuntu)
                          |_ http-title: Did not follow redirect to https://kobold.htb/
                          |_ http-server-header: nginx/1.24.0 (Ubuntu)

443/tcp  open   ssl/http  nginx 1.24.0 (Ubuntu)
                          |_ http-title: Kobold Operations Suite
                          | ssl-cert: Subject: commonName=kobold.htb
                          | Subject Alternative Name: DNS:kobold.htb, DNS:*.kobold.htb
                          | Not valid before: 2026-03-15T15:08:55
                          |_ Not valid after:  2125-02-19T15:08:55

3552/tcp open   http      Golang net/http server
                          |_ http-title: (no title - GetArcane UI)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Analysis of Findings:

Port

Service

Notes

22

OpenSSH 9.6p1

Standard SSH - note key fingerprints

80

nginx 1.24.0

Immediate redirect to HTTPS - nothing here directly

443

nginx 1.24.0

Main application - "Kobold Operations Suite"

3552

Golang HTTP

GetArcane - Docker management UI running as root

The wildcard SAN *.kobold.htb in the TLS certificate is a strong indicator of virtual host routing for multiple subdomains. Port 3552 running a Golang HTTP server is unusual - Golang-based Docker management tools like Portainer, Arcane, and similar panels are often misconfigured.

2.2 - Service Enumeration

Probe each service individually for version information and content:

# Check port 80 - confirm redirect
curl -v http://$TARGET/ 2>&1 | grep -E "Location|HTTP/"
# HTTP/1.1 301 Moved Permanently
# Location: https://kobold.htb/

# Check port 443 - grab page title and headers
curl -sk https://kobold.htb/ | grep -i "<title>"
# <title>Kobold Operations Suite</title>

# Check GetArcane on port 3552
curl -sk http://$TARGET:3552/ | grep -i "title\|arcane\|version" | head -5

2.3 - Virtual Host Discovery

With the wildcard SAN confirmed, enumerate subdomains:

# Check mcp subdomain
curl -sk https://mcp.kobold.htb/ | grep -i "title\|mcp\|inspector" | head -5

# Check bin subdomain
curl -sk https://bin.kobold.htb/ | grep -i "title\|privatebin\|version" | head -5

Discovered subdomains:

https://mcp.kobold.htb - MCPJam Inspector

This is an MCP (Model Context Protocol) server testing and debugging interface. It provides a web UI and REST API for connecting to, testing, and debugging MCP servers. The API exposes an endpoint /api/mcp/connect that processes server connection requests.

https://bin.kobold.htb - PrivateBin 2.0.2

An encrypted zero-knowledge pastebin. The version number 2.0.2 is visible in the page footer and in JavaScript asset filenames like privatebin.js?2.0.2. This version carries CVE-2025-64714 (LFI via template cookie).

http://kobold.htb:3552 - GetArcane Docker Manager

A Docker container management panel (similar to Portainer) written in Go. Runs directly on the host as root. Presents a login page.

3. Initial Access - CVE-2026-23744

3.1 - Vulnerability Research

Searching for security advisories related to MCPJam Inspector reveals GHSA-232v-j27c-5pp6 (assigned CVE-2026-23744). The vulnerability exists in the /api/mcp/connect API endpoint. When a serverConfig object is submitted, the command field is passed directly to Node.js's child_process.spawn() without any input sanitization or authentication check. This allows any unauthenticated attacker to execute arbitrary operating system commands on the server.

Root cause: The MCPJam Inspector is designed as a developer tool for testing MCP servers locally. It expects to be run in a trusted local environment. When exposed publicly or on a network without authentication, the serverConfig.command field becomes an open command injection vector.

Required parameters:

  • serverId - any non-empty string (the API validates its presence)

  • serverConfig.command - the binary to execute

  • serverConfig.args - array of arguments passed to the command

🔐 PREMIUM WRITEUP - MEMBERSHIP REQUIRED

This machine is still active in HTB, so the full walkthrough, exploitation path, and flags cannot be publicly released.

But you can access the entire premium writeup right now.

🌟 Get Instant Access

Unlock the complete step-by-step solution, techniques used, notes, and exclusive insights by becoming a member.

Membership

Why Go Premium?

  • Early access to full detailed writeups

  • Passwords for active CTF solutions

  • Advanced exploitation techniques

Upgrade once - unlock everything instantly.

Keep hacking, keep learning, keep winning. 🎯

Keep Reading

© 2026 Andrés.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv