Skip to content

aipostex Lab Environment

A 5-VM Proxmox lab for testing aipostex against realistic shadow AI sprawl.

The lab spans four target personas: developer workstation, ML platform, data science, and shared AI apps. The current mini lab includes A2A protocol fixtures, a shared callback listener, a post-exploitation validation oracle, and a localhost-gated lateral movement target — expanding the service surface to 29 health-checked endpoints and 170 planted sensitive findings.

Just need to test the tool against one product?

The Single-Service Sandbox spins up one real AI-infra product (ChromaDB, W&B, Qdrant, MLflow, Ollama, or a real a2a-sdk agent) under Docker on your workstation — no full lab required. It's the fast realism dev loop.


Lab at a Glance

Metric Count
Virtual machines 5 (4 targets + 1 attack box)
Target VMs 4
Health-checked service endpoints 29
Planted sensitive findings 170
verify-lab.sh checks 58

Feature Highlights

Lab network topology

Network Discovery

Scan 172.16.50.0/24 and fingerprint the exposed AI/ML surface including Ollama, Jupyter, MCP, Gradio, ChromaDB, MLflow, LiteLLM, Ray, Weaviate, Qdrant, LangServe, Streamlit, an auth-gated HF TGI gateway, HF TEI, vLLM, W&B, Kubeflow, TF Serving, pgvector, and three A2A protocol agents.

A2A Protocol Testing

Three A2A agent fixtures on ailab-app (ports 8100–8102) exercise the full A2A attack chain: agent card enumeration, unauthenticated task injection, task history credential leak, streaming eavesdrop, push-notification hijack, and A2A-to-MCP cross-protocol pivoting.

Post-Exploitation Validation

A callback listener (ailab-attack:9000) confirms webhook callbacks fire. A Post-Ex Oracle (ailab-app:8765) validates credentials, persistence heartbeats, and execution sentinels. A localhost-only lateral target on ailab-dev requires prior RCE to reach.

Tier 2 Workflow Validation

The lab includes verification coverage for bounded Tier 2 exploit workflows: Ollama exfiltration, Jupyter kernel abuse, Ray pip injection, MLflow tamper-proof paths, MCP stdio transport, and A2A push-notification hijack with callback confirmation.

Deployment Evolution

The repo keeps Bash as the canonical path, introduces a shared inventory source, adds an optional Ansible wrapper, and documents the later Packer/Ludus path.

Enterprise Track

The current 5-VM lab remains the Mini tier. A separate Enterprise track is in development and adds ent-* hosts, routed Proxmox zones, internal DNS-style aliases, native infrastructure services, seeded artifacts, verification, snapshots, and reset. Proxmox remains script-managed, Enterprise service phases have an optional staged Ansible wrapper, and Terraform remains AWS-only.

Enterprise currently allocates about 36 GiB RAM / 16 vCPU for team and 44 GiB RAM / 20 vCPU for pro.


Quick Start

bash lab-scripts/proxmox-setup.sh
bash lab-scripts/attack-box/setup.sh
bash lab-scripts/deploy-all.sh
bash lab-scripts/verify-lab.sh

For the staged automation roadmap, see Deployment Evolution.