Skip to content

Scenario 05: Jupyter Remote Code Execution

Difficulty: Intermediate Time: ~20 minutes Prerequisites: Complete Scenario 01 Target: ailab-dev:8888 (Jupyter), ailab-ds:8888 (Jupyter)

Background

Jupyter notebooks are the standard interactive computing environment for data scientists and ML engineers. When deployed with default settings, they often use pre-configured tokens or no authentication at all. A compromised Jupyter instance gives an attacker arbitrary code execution in the context of the data science environment — access to datasets, model files, environment variables, and network access to other internal services.

Objective

Gain code execution through Jupyter notebooks and extract environment variables, credentials, and accessible resources.

Commands

# Exploit Jupyter on the dev workstation
aipostex jupyter --target 172.16.50.10:8888 exec --code "import os; print(os.environ)" --force-exploit

# Exploit Jupyter on the data science host
aipostex jupyter --target 172.16.50.30:8888 exec --code "import os; print(os.environ)" --force-exploit

Expected Finding

Jupyter (ailab-dev:8888): - Token-less or weak-token access to notebook server - Environment variables containing API keys, database connection strings - Notebook contents with hardcoded credentials - File system access to local model files and scripts

Jupyter (ailab-ds:8888): - Similar findings with data-science-specific credentials - Access to dataset files and model training artifacts - Network access to vector databases (Qdrant, Weaviate) on the same host

Example finding:

{
  "finding_type": "credential",
  "service": "jupyter",
  "detail": "Environment variable leak",
  "key": "OPENAI_API_KEY",
  "value": "sk-..."
}

Scoring objective: Extract at least 2 environment variables containing API keys from each Jupyter instance.

Real-World Impact

Jupyter is often the weakest link in AI infrastructure. Data scientists prioritize convenience over security — notebooks run with elevated permissions, environment variables contain production API keys, and the file system has access to training data. A single compromised Jupyter instance can pivot to every other service the data scientist had access to.

Follow-On

  • Scenario 06: Use Jupyter access to reach MLflow, Ray, and W&B
  • Scenario 11: Explore MCP tools accessible from ailab-dev