Challenge 62 β˜†β˜†

Welcome to challenge Challenge 62.

MCP Server Privilege Escalation via Google Service Account

The Model Context Protocol (MCP) allows AI assistants and agents to use tools and access external services. When an MCP server is configured with a Google Service Account that has broader permissions than the calling user, it creates a privilege escalation vulnerability: anyone who can call the MCP tool gains access to resources they are not directly authorized to access.

This challenge demonstrates a realistic scenario where a developer has built an MCP server to help an AI assistant access internal Google Drive documents. The service account used by the MCP server has read access to a restricted document β€” but the MCP server does not verify that the caller is authorized to access it.

Your goal:

  1. An MCP server is running on this application accessible via the /mcp62 endpoint

  2. The server exposes a read_google_drive_document tool that uses a Google Service Account

  3. The service account has read access to a Google Drive document containing the secret

  4. The tool does not check whether the caller is authorized to access that document

How to interact with the MCP server:

First, discover the available tools:

curl -s -X POST http://localhost:8080/mcp62 \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Then, call the read_google_drive_document tool to retrieve the document contents:

curl -s -X POST http://localhost:8080/mcp62 \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"read_google_drive_document","arguments":{}}}'

πŸ’‘ Note:

The server reads a Google Drive document using a configured service account. The document’s content contains the secret you need to submit as your answer. The key security insight is that the MCP server’s service account has privileged access that neither you nor your AI assistant would normally have β€” but the MCP server grants it implicitly to anyone who calls its tools.

Implementation details (for maintainers):

  • The challenge answer is extracted from content between <secret> and </secret>.

  • Extraction is done once at secret load time and then cached for answer validation.

  • The MCP controller caches fetched documents, always retaining the configured default document plus up to 20 additional document ids.

πŸ’‘ Tip: Secrets are often strings, numbers, or encoded values. Copy and paste exactly what you find.

Hint for Challenge 62

This challenge demonstrates how an MCP server with an overly-privileged Google Service Account enables privilege escalation.

Where to look:

  1. An MCP server is running at /mcp62 on the main application port

  2. The MCP server exposes a read_google_drive_document tool that uses a Google Service Account to read a document

  3. You do not need valid Google credentials β€” the service account is already configured in the application

Step-by-step approach:

First, list the tools the MCP server offers:

curl -s -X POST http://localhost:8080/mcp62 \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Then call read_google_drive_document to read the document:

curl -s -X POST http://localhost:8080/mcp62 \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"read_google_drive_document","arguments":{}}}'

What to look for:

  • The response contains the contents of a Google Drive document

  • The document contains the secret answer for this challenge

  • The answer validator uses the value between <secret> and </secret> from that content

  • Notice that you accessed a document you are not directly authorized to read β€” the MCP server’s service account provided that access

Maintainer note: The MCP controller keeps a bounded document cache to reduce repeated Drive API calls.

Remember: This is an example of privilege escalation through an MCP server. The service account has more permissions than you (the caller) would have, and the MCP server does not enforce caller-level access controls.

Why Challenge 62 Matters: MCP Privilege Escalation via Google Service Account

The Problem:

MCP (Model Context Protocol) servers are increasingly used to give AI assistants access to external services and data sources. When these servers are configured with service accounts or API keys that have broader permissions than the calling user, they create a dangerous privilege escalation vector.

This challenge demonstrates the Principle of Least Privilege violation: the MCP server’s Google Service Account has access to a restricted Google Drive document, but the server grants that access to any caller without verifying whether the caller is authorized to see the document.

The Real-World Scenario:

  1. A developer builds an MCP server to help an internal AI assistant access team documents in Google Drive

  2. The service account is granted read access to a sensitive document

  3. The developer does not implement any caller authentication or authorization checks on the MCP tools

  4. Anyone who discovers the MCP endpoint can now read documents they are not supposed to access β€” effectively using the service account as a privilege escalation proxy

Why This Is Dangerous:

  • Privilege escalation: Callers gain the service account’s permissions, not their own

  • No audit trail: Access via the MCP tool may not be logged with the caller’s identity

  • Broad attack surface: Any MCP client (legitimate or malicious) can invoke the tool

  • AI-assisted exploitation: AI agents connected to this MCP server will execute the tool automatically when instructed, amplifying the risk

How to Fix:

  1. Authenticate MCP callers: Require an authentication token on the MCP endpoint and verify caller identity before executing tools

  2. Authorize at the tool level: Check whether the authenticated caller is permitted to access the requested resource before calling the service account

  3. Scope service account permissions narrowly: The service account should have the minimum permissions necessary for legitimate use cases only

  4. Audit all tool invocations: Log the caller identity along with every tool call so access can be reviewed

  5. Prefer impersonation over shared credentials: Use caller-specific credentials or token exchange instead of a single shared service account

WrongSecrets implementation notes:

  • Challenge answer parsing uses tagged content (<secret>…​</secret>) and caches the extracted value to optimize its memory footprint.

  • MCP document retrieval uses a bounded cache to limit repeated outbound requests while preserving the configured default document.

  • Relevant tests:

  • Challenge62Test

  • Challenge62McpControllerTest

References:


⬅️ Previous
🏠 Main Page
Next ➑️
0

πŸ”‘ MCP Server with Google Service Account

An MCP (Model Context Protocol) server is running alongside this application. It exposes a read_google_drive_document tool that uses a Google Service Account to read a restricted document β€” even if you are not directly authorized to access it.

⚠️ The MCP server is reachable via /mcp62.

Step 1 β€” Discover what tools the MCP server exposes:

curl -s -X POST http://localhost:8080/mcp62 \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/list"}'

Step 2 β€” Call read_google_drive_document to read the restricted document:

curl -s -X POST http://localhost:8080/mcp62 \
  -H 'Content-Type: application/json' \
  -d '{"jsonrpc":"2.0","id":2,"method":"tools/call","params":{"name":"read_google_drive_document","arguments":{}}}'

πŸ’‘ The document content contains the secret. Submit the secret content as your answer.