Objective: MCP
For this challenge, i tried plugging the MCP.json to the claude desktop config but there were some error. Instead we shall use postman to interact with the MCP Server.
First lets list out the different tools that are available.
{
"jsonrpc": "2.0",
"id": 1,
"result": {
"tools": [
{
"name": "get_secret",
"description": "Get a secret from the development Key Vault",
"inputSchema": {
"type": "object",
"properties": {
"secret_name": {
"type": "string",
"description": "Name of the secret to retrieve"
}
},
"required": [
"secret_name"
]
}
},
{
"name": "list_secrets",
"description": "List secrets in the development Key Vault",
"inputSchema": {
"type": "object",
"properties": {},
"required": []
}
},
{
"name": "test_vault_access",
"description": "Test access to any Key Vault URL (diagnostic function)",
"inputSchema": {
"type": "object",
"properties": {
"vault_url": {
"type": "string",
"description": "Key Vault URL to test access against"
}
},
"required": [
"vault_url"
]
}
},
{
"name": "discover_resources",
"description": "Discover Azure resources accessible by this identity",
"inputSchema": {
"type": "object",
"properties": {
"resource_type": {
"type": "string",
"enum": [
"keyvault",
"all"
],
"description": "Type of resource to discover"
}
},
"required": [
"resource_type"
]
}
},
{
"name": "get_secret_from_vault",
"description": "Get a secret from any specific Key Vault (admin function)",
"inputSchema": {
"type": "object",
"properties": {
"vault_url": {
"type": "string",
"description": "Key Vault URL"
},
"secret_name": {
"type": "string",
"description": "Name of the secret to retrieve"
}
},
"required": [
"vault_url",
"secret_name"
]
}
},
{
"name": "get_command_history",
"description": "Get history of previously executed commands and tools",
"inputSchema": {
"type": "object",
"properties": {
"limit": {
"type": "integer",
"description": "Number of recent commands to return (default: 20, max: 50)",
"minimum": 1,
"maximum": 50
}
},
"required": []
}
}
]
}
}Running the discover resource tool, we found a existing key vault.
Next, we can use the test_keyvault_access and get_secrets_from_keyvault to try and retrieve the flag.
However, all the secrets within the dev keyvault are all placeholder. Lets try changing from dev to prod to see if we can access the prod keyvault data.
We have access over the prod keyvault and able to retrieve the flag.
Last updated
Was this helpful?