Pwndrop - Self-hosting payloads

Jul 24, 2020 by Alexandre Croix | 3039 views

Pentesting

https://cylab.be/blog/88/pwndrop-self-hosting-payloads

A tedious step for all red-teamers is set up a system to upload payloads on the victim's machine. Kuba Gretzky, the author of Evilginx, released a nice tool to simplify this task.

Pwndrop is a self-deployable file hosting service allowing to easily upload and download payloads over HTTP and WebDAV.

In practice, you have to deploy the tool on a small server or a VPS, register a domain name for your server, and... that's it. You are ready to upload your payloads.

Installation

Set up Pwndrop is very easy. Only a few steps are required: you have to deploy a server (the smallest VPS on DigitalOcean is perfect), install Pwndrop on it and register a domain name.

In this example, we deployed a VPS with the public IP address: 161.35.19.86. We used a free domain name provider: Freenom.com. We registered cylab.ga domain and added a A type DNS record.

We are now ready to install Pwndrop on the server. The installation is straightforward. On your server, run the following commands:

wget https://github.com/kgretzky/pwndrop/releases/download/1.0.1/pwndrop-linux-amd64.tar.gz
tar zxvf pwndrop-linux-amd64.tar.gz
./pwndrop stop
./pwndrop install
./pwndrop start
./pwndrop status

There is only one more step for the configuration: add the IP address of your server in the pwndrop.ini file.

cd /usr/local/pwndrop
nano pwndrop.ini

The file content should looks like:

[pwndrop]
data_dir   = /usr/local/pwndrop/data
admin_dir  = /usr/local/pwndrop/admin
listen_ip  = 161.35.19.86
http_port  = 80
https_port = 443

Usage

Pwndrop is a plug and play tool. No complex configuration is required. You can access the tool with the URL: https://cylab.ga/pwndrop. You have to create an account on this page.

After that, it is possible to upload your payloads or your files.

Pwndrop provides several very interesting features that are available in the settings window.

  • Name is a friendly name for the admin.
  • Path is the URL shared to download the file. The path can be whatever you want.
  • Redirect Path is the URL path which the request will be redirected to. It can be very useful to spoof a file extension.
  • MIME-Type is metadata linked to a file. An Internet browser will use the MIME to know how to process a downloaded file. Firefox, for example, will automatically open a PDF file if the MIME-type is application/pdf. This feature is very interesting to perform MIME-type confusion exploits.

Below all these fields, there is a place to upload a facade file. The facade file will be downloaded instead of the real payload file if the facade mode is enabled. It is also possible to specify a MIME-type for the facade file.

The following figure is a complete example completely configured.

The facade file is facade.pdf and its MIME-type is pdf. That means Firefox or Chrome will automatically open the file when the user will click on the link https://cylab.ga/files/facade.pdf if the facade mode is enabled.

If the facade mode is disabled, the URL will be redirected to https://cylab.ga/files/facade.pdf.exe that is an exe file. The browser will execute the executable file when the user will click on the link.

Features

The tool has some very nice features:

  • Pwndrop retrieves automatically TLS certificates from LetsEncrypt
  • The admin panel is hidden thanks to a secret URL. Any wrong URL attempts will redirect the user to another chosen URL.
  • Admin panel is protected by a password.
  • A cookie is used to keep access to the admin panel without use the secret URL each time you want to connect to your Pwndrop server.

Conclusions

Like the great Evilginx, Pwndrop is a very cool tool. It is easy to use, no complex configuration and can be very useful! Kuba Gretzky will continue to upgrade his tool with some other features like password protection, a download file counter or a download tracker!

This blog post is licensed under CC BY-SA 4.0

Kali Linux and Parrot Sec OS, Penetration Environment Comparison
For years, hackers have been the main characters of movies, books and generally have captured the imagination of regular folks. When we see these hackers use the tools of their trade, we usually see a black screen with green text flashing as fast as possible on the screen, lost in commands and bright flashing lights. This can't be any further from reality, as most hackers will spend hours and days on end to accomplish their tasks, usually staring at a screen, using their programs of choice.
Mar 8, 2022 | 2967 views
New ways to run Kali Linux on Windows using WSL
Some time ago I wrote a blog about Installing Linux Bash Shell (and Metasploit) on Windows 10. This is great, when we want to enjoy the best of both worlds- keep using Windows, with its out-of-the-box configuration and set-up, and still be able to use the powerful tools available for the Linux distribution. In my previous blog I went through the steps necessary for setting up WSL and installing an Ubuntu and Kali Linux distribution. Since then, a lot of advancements have been made to facilitate the use of these distributions for Windows Users.
Nov 19, 2021 | 3180 views
Password guessing with Hydra
A password is like a "key" used to open a specific door or vault. In this vault, there can be different personal documents, pictures, banking information... It is obvious that a user wants its personal documents secure. If the "key", therefore the password, is easy to find, the vault can be as strong as you want, it will be easy to open it.
Oct 21, 2020 | 14318 views
This website uses cookies. More information about the use of cookies is available in the cookies policy.
Accept