MLflow¶
Enumerate and extract data from MLflow tracking servers.
Overview¶
The mlflow module covers the full MLflow API surface: tracking metadata, experiment and run discovery, artifact inspection, model registry enumeration, model version correlation, bounded artifact reads, and a gated tamper-proof action that demonstrates write access.
The client uses GET requests for the model registry search endpoint (MLflow 2.x), with POST fallback for older versions. Health checks try the root path / first (MLflow 2.x returns "OK"), then /health.
Subcommands¶
Read-Only (no --force-exploit required)¶
| Subcommand | Description |
|---|---|
enum |
Tracking server metadata and version. Extracts sensitive params/tags from enumerated runs. |
experiments |
List experiments with run counts |
runs |
List runs for a specific experiment. Produces additional High-severity findings when a run's artifact_uri or parameters expose remote storage URIs (e.g. S3, GCS, Snowflake) or other sensitive patterns |
artifacts |
List artifact tree for a run |
registry |
List registered models |
model-versions |
List versions for a registered model |
model-artifacts |
List artifact paths for a specific model version. Extracts sensitive params/tags from the resolved run. |
download-artifact |
Download an artifact by path |
Gated (requires --force-exploit)¶
| Subcommand | Description |
|---|---|
tamper-proof |
Create a proof experiment, run, and parameter to demonstrate write access to the ML pipeline |
Flags¶
| Flag | Required | Description |
|---|---|---|
--target |
Yes | MLflow server URL (e.g., http://127.0.0.1:5000) |
--header |
No | Custom HTTP headers. Repeatable. |
--experiment |
For experiments, runs |
Experiment name or ID |
--limit |
No | Maximum items to return |
--run-id |
For artifacts, download-artifact |
Run ID to inspect |
--artifact-path |
For download-artifact |
Artifact path to download |
--path-prefix |
For artifacts |
Path prefix filter for artifact listing |
--model |
For model-versions, model-artifacts |
Registered model name |
--version |
For model-artifacts |
Model version number |
Examples¶
# Enumerate server
./aipostex mlflow --target http://127.0.0.1:5000 enum
# List experiments
./aipostex mlflow --target http://127.0.0.1:5000 experiments --limit 5
# List runs for an experiment
./aipostex mlflow --target http://127.0.0.1:5000 runs --experiment demo --limit 5
# List artifacts for a run
./aipostex mlflow --target http://127.0.0.1:5000 artifacts --run-id run-1
# List registered models
./aipostex mlflow --target http://127.0.0.1:5000 registry
# List model versions
./aipostex mlflow --target http://127.0.0.1:5000 model-versions --model demo-model
# List artifacts for a model version
./aipostex mlflow --target http://127.0.0.1:5000 model-artifacts \
--model demo-model --version 3
# Download a specific artifact
./aipostex mlflow --target http://127.0.0.1:5000 download-artifact \
--run-id run-1 --artifact-path model/MLmodel
# Prove write access by creating experiment + run (gated)
./aipostex mlflow --target http://127.0.0.1:5000 tamper-proof --force-exploit
Workflow Progression¶
discover network (discovers MLflow on :5000)
→ mlflow enum (server metadata)
→ mlflow experiments (list experiments)
→ mlflow runs --experiment <name> (list runs)
→ mlflow artifacts --run-id <id> (browse artifact tree)
→ mlflow download-artifact --run-id <id> --artifact-path <path>
→ mlflow registry (list registered models)
→ mlflow model-versions --model <name>
→ mlflow model-artifacts --model <name> --version <v>
→ mlflow tamper-proof (prove write access, gated)
The module pivots from registry exposure into model-version correlation and artifact listing. The tamper-proof command at the end of the chain proves that an attacker can create experiments and inject data into the ML pipeline.