Skip to content

Scenario 02: LLM Gateway Config Extraction

Difficulty: Beginner Time: ~10 minutes Prerequisites: Complete Scenario 01 Target: ailab-ml:4000 (LiteLLM Proxy)

Background

LiteLLM is a popular open-source LLM gateway that routes requests to multiple backend providers. It standardizes the OpenAI API format across providers like Anthropic, HuggingFace, Azure, and AWS Bedrock. When deployed without authentication, its configuration can leak API keys and model routing details.

Objective

Extract API keys, model configurations, and backend provider details from the LiteLLM proxy.

Commands

# Fingerprint the LiteLLM instance
aipostex discover network --target 172.16.50.20:4000 --discovery-only

# Extract configuration and API keys
aipostex litellm --target 172.16.50.20:4000 config-extract

Expected Finding

The LiteLLM proxy exposes its full configuration including:

  • API Keys: OpenAI, Anthropic, Azure, and AWS Bedrock keys configured as backend providers
  • Model routing table: Which models map to which providers
  • Rate limits and spend tracking: Per-key usage data

Example finding:

{
  "finding_type": "api_key",
  "service": "litellm",
  "key_type": "openai_api_key",
  "value": "sk-proj-fake-..."
}

Scoring objective: At least 4 API keys extracted from the LiteLLM configuration (OpenAI, Anthropic, Azure, Bedrock).

Real-World Impact

LLM gateways are becoming the central nervous system of enterprise AI. A compromised LiteLLM proxy gives an attacker access to every LLM provider the enterprise uses — they can generate text at the company's expense, exfiltrate the routing logic, and potentially access fine-tuned models behind the gateway.

Follow-On

  • Scenario 06: Harvest credentials from more ML platform services
  • Scenario 08: Chain these keys with other findings