Skip to content

MLflow

Enumerate and extract data from MLflow tracking servers.

Overview

The mlflow module covers the full MLflow API surface: tracking metadata, experiment and run discovery, artifact inspection, model registry enumeration, model version correlation, bounded artifact reads, and a gated tamper-proof action that demonstrates write access.

The client uses GET requests for the model registry search endpoint (MLflow 2.x), with POST fallback for older versions. Health checks try the root path / first (MLflow 2.x returns "OK"), then /health.

Subcommands

Read-Only (no --force-exploit required)

Subcommand Description
enum Tracking server metadata and version. Extracts sensitive params/tags from enumerated runs.
experiments List experiments with run counts
runs List runs for a specific experiment. Produces additional High-severity findings when a run's artifact_uri or parameters expose remote storage URIs (e.g. S3, GCS, Snowflake) or other sensitive patterns
artifacts List artifact tree for a run
registry List registered models
model-versions List versions for a registered model
model-artifacts List artifact paths for a specific model version. Extracts sensitive params/tags from the resolved run.
download-artifact Download an artifact by path

Gated (requires --force-exploit)

Subcommand Description
tamper-proof Create a proof experiment, run, and parameter to demonstrate write access to the ML pipeline

Flags

Flag Required Description
--target Yes MLflow server URL (e.g., http://127.0.0.1:5000)
--header No Custom HTTP headers. Repeatable.
--experiment For experiments, runs Experiment name or ID
--limit No Maximum items to return
--run-id For artifacts, download-artifact Run ID to inspect
--artifact-path For download-artifact Artifact path to download
--path-prefix For artifacts Path prefix filter for artifact listing
--model For model-versions, model-artifacts Registered model name
--version For model-artifacts Model version number

Examples

# Enumerate server
./aipostex mlflow --target http://127.0.0.1:5000 enum

# List experiments
./aipostex mlflow --target http://127.0.0.1:5000 experiments --limit 5

# List runs for an experiment
./aipostex mlflow --target http://127.0.0.1:5000 runs --experiment demo --limit 5

# List artifacts for a run
./aipostex mlflow --target http://127.0.0.1:5000 artifacts --run-id run-1

# List registered models
./aipostex mlflow --target http://127.0.0.1:5000 registry

# List model versions
./aipostex mlflow --target http://127.0.0.1:5000 model-versions --model demo-model

# List artifacts for a model version
./aipostex mlflow --target http://127.0.0.1:5000 model-artifacts \
  --model demo-model --version 3

# Download a specific artifact
./aipostex mlflow --target http://127.0.0.1:5000 download-artifact \
  --run-id run-1 --artifact-path model/MLmodel

# Prove write access by creating experiment + run (gated)
./aipostex mlflow --target http://127.0.0.1:5000 tamper-proof --force-exploit

Workflow Progression

discover network (discovers MLflow on :5000)
  → mlflow enum (server metadata)
    → mlflow experiments (list experiments)
      → mlflow runs --experiment <name> (list runs)
        → mlflow artifacts --run-id <id> (browse artifact tree)
          → mlflow download-artifact --run-id <id> --artifact-path <path>
    → mlflow registry (list registered models)
      → mlflow model-versions --model <name>
        → mlflow model-artifacts --model <name> --version <v>
  → mlflow tamper-proof (prove write access, gated)

The module pivots from registry exposure into model-version correlation and artifact listing. The tamper-proof command at the end of the chain proves that an attacker can create experiments and inject data into the ML pipeline.