Overview

The machine starts by exploiting an unauthenticated command injection in the MCPJam Inspector /api/mcp/connect endpoint to get a shell as mcp-dev, then enumerating internal ports to discover a Jupyter instance on localhost:8888 where the token is retrieved via jupyter server list, using it to write an SSH key into the analyst account for a stable shell, then reading the source of an internal Flask MCP server on port 5000 to find a hardcoded API key and a hidden ops._admin_dump tool not exposed in the tools list, calling it with target=ssh_keys to exfiltrate root's private SSH key and login as root.

...