Skip to content

Scenario 03: Inference Server Fingerprinting

Difficulty: Beginner Time: ~15 minutes Prerequisites: Complete Scenario 01 Target: ailab-app:8180 (HF TGI gateway), ailab-ml:8181 (HF TEI)

Background

HuggingFace Text Generation Inference (TGI) and Text Embeddings Inference (TEI) are widely deployed model serving engines. Their /info endpoints expose model identifiers, engine versions, Docker image SHAs, and configuration details. The /metrics endpoints leak Prometheus telemetry about usage patterns, queue depths, and batch sizes.

Objective

Fingerprint HuggingFace inference servers to extract model names, versions, and operational metrics.

Commands

# Fingerprint HF TGI
aipostex discover network --target 172.16.50.40:8180 --discovery-only

# Fingerprint HF TEI
aipostex discover network --target 172.16.50.20:8181 --discovery-only

# Extract embeddings to confirm the TEI model works
aipostex huggingface --target 172.16.50.20:8181 embed --inputs "test sentence" --force-exploit

Expected Finding

HF TGI (port 8180): - Model ID: acme-tgi-lab - Model type: text-generation - Engine version, Docker SHA, max token limits - Prometheus metrics: request counts, queue size, batch sizes

HF TEI (port 8181): - Model ID: acme-tei-lab - Model type: embedding - Embedding generation confirmed (returns 8-dimensional vectors) - Reranking capability available at /rerank - Prometheus metrics: request and embed counts

{
  "finding_type": "model_info",
  "service": "huggingface_tgi",
  "model_id": "acme-tgi-lab",
  "model_type": "text-generation"
}

Scoring objective: Both /info endpoints return valid JSON with model_id fields. The TEI /embed endpoint returns a 2D array of floats.

Real-World Impact

Model fingerprinting reveals what an organization is running — are they using base models or fine-tuned variants? What are the token limits? The /metrics endpoint lets an attacker estimate load patterns and find low-traffic windows for further exploitation. Model names like "acme-fraud-scorer" reveal business logic.

Follow-On

  • Scenario 07: Use the embedding service in a RAG poisoning attack
  • Scenario 08: Chain model info with credentials from other services