Hack The Box: How MCP Inspector Turns AI Tools into a New Attack Vector

The Kobold machine from Hack The Box Season 10 demonstrates an important point: new risks around AI emerge not only in the models themselves, but also in the tools that developers use to maintain them. In this breakdown, the initial attack vector lies in MCP Inspector — a dev utility for AI servers. The attack chain then unfolds according to a familiar infrastructure security scenario: code execution, reading local files within the container, credential reuse, and privilege escalation via Docker, up to complete system compromise.

Kobold is positioned as an Easy machine, but its value lies not in exploitation complexity, but in the realism of the vulnerability chain. The author shows how a service for debugging and inspecting MCP components can suddenly become an external perimeter. For teams building an AI stack from servers, connectors, and auxiliary tools, this is an uncomfortable reminder: anything connected to the model and having access to the local environment automatically becomes part of the attack surface.

And precisely such elements are often less well protected, because they are considered internal, temporary, or "for developers only." The first stage of the chain is RCE through MCP Inspector. This step alone already changes the threat picture: an attacker doesn't need to break the main application if there's a less protected tool nearby with extended capabilities.

After gaining code execution inside the container, the attacker moves to LFI, i.e., reading local files.

In practice, this is one of the most productive stages of any attack on containerized services: configs, environment variables, logs, keys, service tokens, and build artifacts often sit in predictable locations. Even if secrets are not directly leaked, exposure of directory structure, service names, or internal addresses already helps accelerate further progress.

The next important point is credential reuse. In AI projects, this is a particularly common problem: teams quickly spin up experimental services, copy .env files, duplicate passwords across containers, and leave identical credentials for different roles.

In the breakdown, precisely the reuse of secrets helps transition from local access to more sensitive system components, and then use Docker configuration errors for privilege escalation. The material shows two independent paths to complete control of the machine, emphasizing the main point: if an attacker already has code inside the container, then a Docker socket, extra capabilities, unsafe mounts, and overly broad access to host resources quickly turn the container from a barrier into a convenient intermediate point. It's particularly useful that the author maps the attack to MITRE ATT&CK.

Such a breakdown turns step-by-step machine compromise into practical material for defenders: you see not only the sequence of actions, but also classes of techniques — initial execution, discovery, collection, credential access, lateral movement, and privilege escalation. This helps blue teams and DevSecOps align the lab scenario with real logs, alerts, and detection measures.

The main thesis extends far beyond a single machine: the MCP ecosystem, including inspectors, proxies, connectors, and local bridges to files, networks, and secrets, becomes a new attack surface precisely because it exists at the intersection of several trusted zones. What does this mean in practice? For teams building AI services, it's no longer enough to protect only the model API and user interface.

You need to move dev tools out of public access, enable authentication even for "internal" utilities, prohibit credential reuse, reduce container privileges, audit Docker configurations, and log actions around MCP components as carefully as around primary production services. Kobold excels because without excess theory it shows: the next serious incident in an AI stack may start not with the model, but with a small utility tool that no one considered critical.