Skip to content

Filesystem Artifacts

All filesystem artifacts are planted on ailab-dev (172.16.50.10) under /home/devuser/ by the seed-filesystem.sh script. They simulate a developer who has been experimenting with AI tools for months — API keys in .env files, MCP configs for three different IDEs, cached cloud credentials, training data from corporate documents, and shell history recording it all.


Directory Tree

/home/devuser/
├── .aws/credentials                              # 2 profiles: default + bedrock-dev
├── .aws/config                                   # region config
├── .bash_history                                 # AI-related commands with keys
├── .python_history                               # Interactive sessions with API keys
├── .cache/huggingface/token                      # cached HF login token
├── .config/
│   ├── Claude/claude_desktop_config.json         # 5 MCP servers with embedded creds
│   └── gcloud/application_default_credentials.json
├── .cursor/mcp.json                              # Cursor MCP config (sqlite + brave search)
├── .jupyter/jupyter_lab_config.py                # real config with token=''
├── .ollama/                                      # present because user ran ollama manually too
├── projects/
│   ├── chatbot-prototype/
│   │   ├── .env                                  # OpenAI, Anthropic, Pinecone, DB, Redis keys
│   │   ├── .env.example                          # placeholder values (noise)
│   │   ├── .git/config                           # GitHub PAT in remote URL
│   │   ├── .vscode/settings.json                 # VS Code MCP config
│   │   ├── config.py                             # LangChain config pointing to 172.16.50.20
│   │   ├── Modelfile                             # left behind from ollama create
│   │   ├── README.md                             # benign project readme (noise)
│   │   └── requirements.txt                      # benign deps list (noise)
│   ├── fine-tune-experiment/
│   │   ├── .env                                  # HF token, W&B key, Cohere key
│   │   └── data/
│   │       ├── training.jsonl                    # Corporate Q&A training data
│   │       └── eval.jsonl                        # Eval data with exec names
│   ├── rag-pipeline/
│   │   └── .env                                  # OpenAI key, Mistral, Groq, ChromaDB host
│   ├── acme-support-bot/
│   │   └── Modelfile                             # the support model's Modelfile
│   ├── gradio-chat/
│   │   └── app.py                                # Gradio chatbot source
│   └── internal-tools/
│       ├── mcp-server/server.py                  # The vulnerable MCP server source
│       └── summarizer.py                         # Hardcoded Anthropic key inline
└── notebooks/
    └── rag-prototype.ipynb                       # Jupyter notebook with API keys

Artifact Inventory

API Keys in .env Files

Category Location Key Data
OpenAI API Key projects/chatbot-prototype/.env sk-proj-FAKE1234567890abcdefghijklmnop
Anthropic API Key projects/chatbot-prototype/.env sk-ant-FAKE-abcdefghijklmnop1234567890
Pinecone API Key projects/chatbot-prototype/.env pcsk_FAKE_abcdef123456
Database URL projects/chatbot-prototype/.env postgresql://chatbot:Ch4tb0tPwd!@db-dev-01.acme.internal:5432/chatbot_dev
Redis URL projects/chatbot-prototype/.env redis://cache-01.acme.internal:6379/0
LangChain API Key projects/chatbot-prototype/.env ls__FAKE_langchain_key_abcdef123456
HuggingFace Token projects/fine-tune-experiment/.env hf_FAKE_aBcDeFgHiJkLmNoPqRsTuVwXyZ123
W&B API Key projects/fine-tune-experiment/.env FAKE_wandb_key_1234567890abcdef
Cohere API Key projects/fine-tune-experiment/.env FAKE_cohere_api_key_abcdefghijk
OpenAI Key (RAG) projects/rag-pipeline/.env sk-proj-FAKE-rag-pipeline-key-9876543210
Mistral API Key projects/rag-pipeline/.env FAKE_mistral_api_key_1234567890abc
Groq API Key projects/rag-pipeline/.env gsk_FAKE_groq_key_abcdefghijklmnopqrstuvwx

MCP Configurations

Category Location Key Data
Claude Desktop MCP .config/Claude/claude_desktop_config.json 5 servers: filesystem (broad path access), postgres (McpR3ad3r!), github (PAT ghp_FAKE...), slack (bot token xoxb-FAKE...), jira (API token ATATT3x...)
Cursor MCP .cursor/mcp.json 2 servers: sqlite (local DB path), brave search (API key BSA_FAKE...)
VS Code MCP projects/chatbot-prototype/.vscode/settings.json 2 servers: sqlite (local DB), postgres (D3vUs3r!)

Cloud Credentials

Category Location Key Data
AWS Credentials (default) .aws/credentials AKIAFAKEKEY1234567890 / FAKE+SecretKey/...
AWS Credentials (bedrock-dev) .aws/credentials AKIAFAKEBEDROCK12345 / FAKE+BedrockSecret/...
GCP Credentials .config/gcloud/application_default_credentials.json client_id, client_secret, refresh_token (authorized_user type)
HuggingFace Cache .cache/huggingface/token hf_FAKE_CachedTokenFromLogin_aBcDeFgHiJkLmNoPqRs

Training Data

Category Location Key Data
Training JSONL projects/fine-tune-experiment/data/training.jsonl Corporate Q&A: VPN creds (svc-vpn-mon / VpnM0n1t0r!ng2024), Q3 revenue ($42.3M CONFIDENTIAL), DB creds (bi_reader / B1R3ader!Pr0d), AWS accounts, exec contacts
Eval JSONL projects/fine-tune-experiment/data/eval.jsonl Executive names and titles, PagerDuty phone tree

Application Configs

Category Location Key Data
LangChain Config projects/chatbot-prototype/config.py Points to ChromaDB at 172.16.50.20:8000, DB creds readonly:R3ad0nly!
Hardcoded API Key projects/internal-tools/summarizer.py Anthropic key inline: sk-ant-FAKE-inline-key-abcdef123456
Git PAT projects/chatbot-prototype/.git/config GitHub PAT in remote URL: ghp_FAKE1234567890abcdefghijklmnopqrstuv

Service Configs

Category Location Key Data
Jupyter Config .jupyter/jupyter_lab_config.py token='', ip='0.0.0.0' — confirms no authentication
Modelfile (assistant) projects/chatbot-prototype/Modelfile System prompt with PostgreSQL, JWT, Jira, SharePoint, AWS, Slack, PagerDuty, Okta creds
Modelfile (support) projects/acme-support-bot/Modelfile System prompt with CRM API key, ticket API key, manager override, bearer token

Shell History

Category Location Key Data
Bash History .bash_history export OPENAI_API_KEY=sk-proj-FAKE..., curl to ChromaDB on 172.16.50.20, git clone with PAT, ollama commands
Python History .python_history openai.api_key = "sk-proj-FAKE...", anthropic.Anthropic(api_key=...), ChromaDB client connections to 172.16.50.20

Noise Files

Category Location Purpose
.env.example projects/chatbot-prototype/.env.example Placeholder values (YOUR_OPENAI_KEY_HERE) — not real credentials
requirements.txt projects/chatbot-prototype/requirements.txt Benign dependency list
README.md projects/chatbot-prototype/README.md Standard project readme

Seed Script

seed-filesystem.sh creates all of the above in a single run. It executes as root (or sudo) on ailab-dev and sets ownership to devuser:

sudo bash seed-filesystem.sh [base_path]  # default: /home/devuser

The script is idempotent — running it again overwrites all artifacts to their expected state.


Cross-Host References

Several filesystem artifacts reference other lab hosts, demonstrating interconnected risk:

  • config.py points to ChromaDB at 172.16.50.20:8000
  • .bash_history contains curl commands to 172.16.50.20 and ssh to labadmin@172.16.50.20
  • .python_history creates a ChromaDB client connected to 172.16.50.20
  • training.jsonl references internal hostnames (db-prod-01.acme.internal, vpn.acme.corp)
  • .env files in rag-pipeline/ set CHROMA_HOST=172.16.50.20

When aipostex scans the dev workstation's filesystem, these references reveal the attack surface of the ML platform before it's even scanned.