Phase 2: The Next Challenge

Phase 2

Welcome to the Second Phase

You have successfully completed the first phase of the challenge. Now it's time to dive deeper into the MCP protocol.

Understanding MCP

The Model Context Protocol

MCP acts as a universal translator between AI applications and external tools. Imagine an AI model (the Host) that needs to perform an action, like getting a stock price or, in our case, retrieving a fortune cookie. Instead of writing custom code for every single tool, the AI uses MCP to talk to a Tool Server.

As illustrated below, the Host sends a request through the secure MCP connection. The Protocol ensures that the Host and the Server speak the same language, regardless of what underlying technology they use.

Visualizing the connection between an AI Host and a Tool Server via MCP.

The communication happens via JSON-RPC messages. When the Host needs to call a tool, it packages the command into a structured JSON Request (e.g., "method": "tools/call"). This packet travels to the Server, which executes the requested action and sends back a JSON Response containing the result.

This standardized request/response cycle is what makes MCP so powerful. It decouples the AI from the implementation details of the tools.

Standard Request/Response cycle in MCP.

There are two main methods you need to know about:

`tools/list`: This method is used to discover the tools available on the server.
`tools/call`: This method is used to execute a specific tool.

Example: `tools/list`

Discovering Tools

To see the list of available tools, you can send a `tools/list` request. Here is an example using `curl`:

curl -X POST -H "Content-Type: application/json" -d '{"method": "tools/list"}' <domain>

The server will respond with a list of tools, their descriptions, and their input schemas.

Can you figure out the complete command?

Example: `tools/call`

Calling a Tool

Once you know the name of a tool, you can call it using the `tools/call` method. For example, to call the `get_fortune` tool, you would send this request:

curl -X POST -H "Content-Type: application/json" -d '{"method": "tools/call", "params": {"name": "get_fortune"}}' <domain>

You can also pass arguments to the tool. For example, to get a "wisdom" fortune:

curl -X POST -H "Content-Type: application/json" -d '{"method": "tools/call", "params": {"name": "get_fortune", "arguments": {"databases": ["wisdom"]}}}' <domain>

Your Next Challenge

Find the Secret Flag

Your mission for this phase is to use your knowledge of the MCP protocol to find and call a hidden tool on the server that will reveal the second flag.

Use the `tools/list` method to get started. Good luck!

Check Flag

Phase 2 Flag

Once you have found the flag, enter it below to check your answer.

Next Phase