aipostex Lab Environment¶
A 5-VM Proxmox lab for testing aipostex against realistic shadow AI sprawl.
The lab spans four target personas: developer workstation, ML platform, data science, and shared AI apps. The current mini lab includes A2A protocol fixtures, a shared callback listener, a post-exploitation validation oracle, and a localhost-gated lateral movement target — expanding the service surface to 29 health-checked endpoints and 170 planted sensitive findings.
Just need to test the tool against one product?
The Single-Service Sandbox spins up one real AI-infra product (ChromaDB, W&B, Qdrant, MLflow, Ollama, or a real a2a-sdk agent) under Docker on your workstation — no full lab required. It's the fast realism dev loop.
Lab at a Glance¶
| Metric | Count |
|---|---|
| Virtual machines | 5 (4 targets + 1 attack box) |
| Target VMs | 4 |
| Health-checked service endpoints | 29 |
| Planted sensitive findings | 170 |
verify-lab.sh checks |
58 |
Feature Highlights¶
Network Discovery¶
Scan 172.16.50.0/24 and fingerprint the exposed AI/ML surface including Ollama, Jupyter, MCP, Gradio, ChromaDB, MLflow, LiteLLM, Ray, Weaviate, Qdrant, LangServe, Streamlit, an auth-gated HF TGI gateway, HF TEI, vLLM, W&B, Kubeflow, TF Serving, pgvector, and three A2A protocol agents.
A2A Protocol Testing¶
Three A2A agent fixtures on ailab-app (ports 8100–8102) exercise the full A2A attack chain: agent card enumeration, unauthenticated task injection, task history credential leak, streaming eavesdrop, push-notification hijack, and A2A-to-MCP cross-protocol pivoting.
Post-Exploitation Validation¶
A callback listener (ailab-attack:9000) confirms webhook callbacks fire. A Post-Ex Oracle (ailab-app:8765) validates credentials, persistence heartbeats, and execution sentinels. A localhost-only lateral target on ailab-dev requires prior RCE to reach.
Tier 2 Workflow Validation¶
The lab includes verification coverage for bounded Tier 2 exploit workflows: Ollama exfiltration, Jupyter kernel abuse, Ray pip injection, MLflow tamper-proof paths, MCP stdio transport, and A2A push-notification hijack with callback confirmation.
Deployment Evolution¶
The repo keeps Bash as the canonical path, introduces a shared inventory source, adds an optional Ansible wrapper, and documents the later Packer/Ludus path.
Enterprise Track¶
The current 5-VM lab remains the Mini tier. A separate Enterprise track is in development and adds ent-* hosts, routed Proxmox zones, internal DNS-style aliases, native infrastructure services, seeded artifacts, verification, snapshots, and reset. Proxmox remains script-managed, Enterprise service phases have an optional staged Ansible wrapper, and Terraform remains AWS-only.
Enterprise currently allocates about 36 GiB RAM / 16 vCPU for team and 44 GiB RAM / 20 vCPU for pro.
Quick Start¶
bash lab-scripts/proxmox-setup.sh
bash lab-scripts/attack-box/setup.sh
bash lab-scripts/deploy-all.sh
bash lab-scripts/verify-lab.sh
For the staged automation roadmap, see Deployment Evolution.