Scenario 06: ML Platform Credential Harvest¶
Difficulty: Intermediate Time: ~25 minutes Prerequisites: Complete Scenario 01 Target: ailab-ml:8265 (Ray), ailab-ds:5000 (MLflow auth gateway), ailab-ml:8444 (W&B)
Background¶
Enterprise ML platforms use experiment trackers (MLflow, W&B) and distributed compute frameworks (Ray) to manage model training at scale. These services store API keys, dataset paths, model artifacts, and environment configurations. When accessible without authentication, they become treasure troves of credentials.
Two MLflow surfaces (flat lab). This is a flat shadow-AI estate — everything is exposed at enumeration. There are two distinct MLflow endpoints: the gated auth gateway at
ailab-ds:5000(Basic-auth; reached here with the Ray-lootedray-pipelinecredential — the credential-chained hop) and the MLflow platform backend atailab-ml:5000(directly reachable, no auth — the exposed backend that Scenario 10 tampers). Direct access to theailab-ml:5000backend is by design (the estate is exposed), not a gateway bypass; the gateway exists to demonstrate credential chaining, not network segmentation. Operators who want a segmented/enterprise feel can enable the opt-in segmentation toggle (see the deployment docs).
Objective¶
Harvest credentials and sensitive configuration from Ray, MLflow, and Weights & Biases.
Commands¶
# Exploit Ray cluster
aipostex ray --target http://172.16.50.20:8265 jobs
# Enumerate MLflow through the gated auth gateway with the Ray-looted credential
aipostex mlflow --target http://172.16.50.30:5000 \
--header "Authorization: Basic <ray-looted-basic>" runs --limit 20
# Exploit Weights & Biases
aipostex wandb --target http://172.16.50.20:8444 enum
Expected Finding¶
Ray (ailab-ml:8265): - Runtime environment variables: HuggingFace tokens, AWS credentials, database URIs - Job submission history with embedded secrets - Cluster configuration revealing internal network topology
MLflow gateway (ailab-ds:5000): - Experiment metadata with API keys in parameters - Model artifact storage paths (S3 buckets, GCS paths) - Registered model names revealing business logic
W&B (ailab-ml:8444): - API keys in run configurations - Sweep parameters containing hyperparameter details - Artifact references to S3/GCS model storage
Example finding:
{
"finding_type": "credential",
"service": "ray",
"detail": "Runtime env variable",
"key": "HF_TOKEN",
"value": "hf_..."
}
Scoring objective: At least 3 distinct credential types extracted across the three services, including the Ray-looted MLflow credential and the MLflow-looted HF/TGI token.
Real-World Impact¶
ML platforms are where all the secrets converge. Data scientists configure environment variables with API keys, log experiments with credentials in parameters, and store model artifacts in cloud storage. An attacker with access to these platforms can harvest credentials for cloud providers, SaaS APIs, and database systems — typically enough to gain broader infrastructure access.
Follow-On¶
- Scenario 08: Chain harvested credentials for deeper access
- Scenario 10: Use MLflow/Ray access to tamper with model artifacts