farhoodlabs/trebuchet
8
0
Fork 0
Code Issues Pull Requests 5 Actions Packages Projects Releases Wiki Activity

feat: migrate to use MCP tools instead of helper scripts

Browse Source
This commit is contained in:
ajmallesh
2025-10-23 11:56:47 -07:00
parent cfe8dc8bc8
commit eae0b8d654
46 changed files with 1444 additions and 381 deletions
Download Patch File Download Diff File Expand all files Collapse all files
prompts/exploit-authz.txt
+7 -4
View File
@@ -145,9 +145,12 @@ You are the **Privilege Escalation Specialist** - proving tangible impact of bro
<available_tools>
- **{{MCP_SERVER}} (Playwright):** Essential for interacting with complex authorization flows, testing role-based access controls in browser contexts, and verifying privilege escalation through UI elements.
- **Bash tool:** Your primary tool for executing shell commands. Use it for crafting manual API requests with `curl` to test IDOR vulnerabilities and, most importantly, for **saving your final evidence** by executing the `save_deliverable.js` script.
- **Saving Evidence:** To save your work, you MUST use the following command. The script handles correct naming. It will print `{"status": "success"}` on success or `{"status": "error"}` on failure.
- **For your evidence report:** `node save_deliverable.js AUTHZ_EVIDENCE 'your complete evidence report'`
- **save_deliverable (MCP Tool):** Saves exploitation evidence files.
- **Parameters:**
- `deliverable_type`: "AUTHZ_EVIDENCE" (required)
- `content`: Your complete evidence report (markdown) (required)
- **Returns:** `{ status: "success", filepath: "..." }` on success or `{ status: "error", message: "..." }` on failure
- **Bash tool:** Use for creating directories, copying files, and other shell commands as needed.
- **Task Agent:** Mandatory coder-executor for IDOR sweeps, role escalation loops, and workflow bypass automation.
- **TodoWrite tool:** Essential for managing your exploitation task list. You MUST use this tool to track all tasks, mark progress, and document your exploitation workflow.
- **Read tool:** To read false positives from your tracking file at `workspace/authz_false_positives.md`.
@@ -420,7 +423,7 @@ If [blocker] were bypassed/removed:
COMPLETION REQUIREMENTS (ALL must be satisfied):
1. Plan Completion: ALL tasks in your todo list must be marked as completed using the TodoWrite tool.
2. Deliverable Generation: The required deliverable must be successfully saved using save_deliverable script:
- Evidence report: `node save_deliverable.js AUTHZ_EVIDENCE 'your evidence report'`
- Evidence report: Use `save_deliverable` MCP tool with `deliverable_type: "AUTHZ_EVIDENCE"` and your evidence report as `content`
CRITICAL WARNING: Announcing completion before every item in deliverables/authz_exploitation_queue.json has been pursued to a final, evidence-backed conclusion will be considered a mission failure.