BACK TO SEARCH
R3dy/mythic-docker-mcpcritical
Docker mcp server for Mythic cretaed by LLMs and me (but mostly LLMs)
This MCP server provides tools to interact with the Mythic C2 framework, allowing users to list callbacks, tasks, operators, payloads, and operations,...
purpose: This MCP server provides tools to interact with ththreat: network exposed
RISK SCORE
0/ 100 risk
high findings+100
medium findings+15
capped at100
VULNERABILITY ANALYSIS · 5 findings in 5 blocks4 HIGH · 1 MEDIUM
HIGH1 finding
mythic_server.py:395
395async def download_file(file_id: str = "", save_path: str = "") -> str:
396 ...
397 if not save_path.strip():
398 save_path = f"downloaded_{file_id}"
399 ...
400 if file_content:
401 with open(save_path, 'wb') as f:
402 f.write(file_content)
403 return f"✅ Successfully downloaded file to: {save_path}"mythic_server.py:395
// Network-exposed MCP server; an attacker can send arbitrary prompts to trigger this tool.
EXPLAINThe download_file tool accepts a user-supplied save_path without any validation or sanitization. An attacker can specify an arbitrary path (e.g., /etc/cron.d/malicious, /root/.ssh/authorized_keys) to write file content anywhere on the filesystem. The tool is intended to save files to a designated directory, but no such restriction is enforced.
IMPACTAn attacker (or compromised LLM) can write arbitrary files to any location on the server's filesystem, potentially leading to remote code execution (e.g., overwriting cron jobs, SSH keys, or system binaries).
FIXRestrict save_path to a predefined download directory (e.g., using os.path.join with a base path) and validate that the resolved path stays within that directory. Use os.path.abspath and os.path.commonpath to prevent path traversal.
HIGH1 finding
mythic_server.py:428
428async def upload_file(callback_id: str = "", local_path: str = "", remote_path: str = "") -> str:
429 ...
430 try:
431 with open(local_path, 'rb') as f:
432 file_content = f.read()
433 except FileNotFoundError:
434 return f"❌ Error: File not found: {local_path}"mythic_server.py:428
// Network-exposed MCP server; an attacker can send arbitrary prompts to trigger this tool.
EXPLAINThe upload_file tool accepts a user-supplied local_path without any validation. An attacker can specify an arbitrary file path (e.g., /etc/shadow, /root/.ssh/id_rsa) to read sensitive files from the server's filesystem and exfiltrate them via the Mythic callback.
IMPACTAn attacker can read arbitrary files from the server's filesystem, leading to credential theft, secret leakage, and potential privilege escalation.
FIXRestrict local_path to a predefined upload directory and validate that the resolved path stays within that directory. Use os.path.abspath and os.path.commonpath to prevent path traversal.
HIGH1 finding
mythic_server.py:282
282async def issue_task(callback_id: str = "", command: str = "", parameters: str = "") -> str:
283 ...
284 response = await mythic.create_task(
285 mythic=mythic_instance,
286 callback_display_id=callback_display_id,
287 command_name=command,
288 params=parameters
289 )mythic_server.py:282
// Network-exposed MCP server; an attacker can send arbitrary prompts to trigger this tool.
EXPLAINThe issue_task tool accepts arbitrary command and parameters strings and passes them directly to the Mythic framework's create_task function. There is no validation or whitelist of allowed commands. An attacker can issue any command supported by the callback's payload type (e.g., shell, execute, powershell) to execute arbitrary system commands on compromised hosts.
IMPACTAn attacker can execute arbitrary commands on any active callback's host, leading to full compromise of those systems, lateral movement, and data exfiltration.
FIXImplement a command whitelist or restrict the tool to only allow predefined safe commands. Alternatively, require additional authorization for command execution.
HIGH1 finding
mythic_server.py:638
638async def run_mythic_script(script_name: str = "") -> str:
639 ...
640 if script_name == "list_credentials":
641 query = """
642 query ListCredentials {
643 credential(order_by: {timestamp: desc}) {
644 account
645 realm
646 credential_text
647 timestamp
648 }
649 }
650 """
651 response = await mythic.execute_custom_query(...)
652 creds = response.get('credential', [])
653 ...
654 for c in creds:
655 result += f" {c.get('account', 'Unknown')}@{c.get('realm', 'Unknown')}\n"mythic_server.py:638
// Network-exposed MCP server; an attacker can send arbitrary prompts to trigger this tool.
EXPLAINThe run_mythic_script tool includes a 'list_credentials' script that queries and returns credential data (including credential_text) from the Mythic server. While this is within the intended purpose of a red team tool, it exposes highly sensitive information (captured credentials) to any user who can invoke the tool. Combined with the network-exposed threat model, this is a significant information disclosure risk.
IMPACTAn attacker can retrieve all captured credentials stored in the Mythic server, including plaintext passwords, hashes, and other secrets.
FIXRestrict access to sensitive scripts (e.g., list_credentials) to authorized operators only, or remove them from the MCP toolset if not essential.
MEDIUM1 finding
mythic_server.py:28
28MYTHIC_USERNAME = os.environ.get("MYTHIC_USERNAME", "")
29MYTHIC_PASSWORD = os.environ.get("MYTHIC_PASSWORD", "")
30MYTHIC_SERVER = os.environ.get("MYTHIC_SERVER", "localhost")
31MYTHIC_PORT = os.environ.get("MYTHIC_PORT", "7443")
32MYTHIC_API_TOKEN = os.environ.get("MYTHIC_API_TOKEN", "")mythic_server.py:28
// Network-exposed MCP server; environment variables may be leaked through error messages or process inspection.
EXPLAINMythic credentials (username, password, API token) are read from environment variables. While this is a common practice, the code does not mask or protect these values in logs or error messages. Additionally, the credentials are stored in plaintext in the process environment, which could be exposed via /proc or other mechanisms.
IMPACTAn attacker with access to the server's environment or logs could retrieve Mythic credentials and gain unauthorized access to the Mythic server.
FIXUse a secrets manager or encrypted configuration file. Avoid logging credential values. Consider using short-lived tokens.
◷ 5/21/2026
Findings are produced by automated LLM analysis and may include false positives or miss issues. Verify independently before acting.