Pwnbox is a customized, online, parrot security linux distribution with many hacking tools pre-installed. You can use it to play in our labs without the need to install a local VM serving the same purpose.
VIP users have a limit of 24 hours per month to use their Pwnbox. This limit gets renewed with each month that you renew your VIP subscription.
Pwnboxes also have a lifetime of their own, once you spawn one, you can see its' remaining time in the panel.
If you're wondering about having the right tool, don't worry! Our custom-made parrot security distro comes equipped with a plethora of tools of the trade. Take a look below at the list:
BurpSuite, FoxyProxy, Wappalyzer, gobuster, dirb, dirbuster, SecLists, PayloadAllTheThings, LinuxPrivChecker, LinPeas, Sublime, PowerShell, Terminal, BloodHound, and the list goes on.
You can access the Pwnbox controls by clicking on the Connection Settings button to the right of your profile picture, at the top right of the page you're on.
This menu is accessible from any page so as to make navigation easier and to provide you with faster access to the tools you need to further your development.
After you land on the Pwnbox menu you will see the Hours Left counter at the top, followed by the connection settings below. The counter at the top refers to how many available hours of Pwnbox you have left. It is vital that after you've finished using any Pwnbox instance that you terminate it in order to save this time for later use.
You can proceed with selecting a Pwnbox Location based on the lowest latency reported for each of them. Afterwards you can proceed with selecting the VPN Access and the VPN Server fields that would benefit you the most in terms of latency.
It's now easier than ever to switch VPN servers mid-action on the same menu, so if you ever run into any connection problems further down the line, you can use the same page to switch to a different server.
If you want to learn more about these categories, feel free to read up on the article here.
After selecting your preferred servers, you can click the Start Pwnbox button to start the initialization process. After this is complete, you will be presented with a small preview of what is happening on the desktop of the Pwnbox you've spawned, together with the three available interactions:
- Open Desktop
Which will open a VNC connection through HTTPS to the box, similar to TeamViewer or other GUI-based remote connections.
Which will terminate the current Pwnbox instance. You should always use this after you've finished using your VM as it will save you some usage time for the future.
- Open SSH Terminal
Which will initialize a SSH connection from your local machine's terminal, where you will be prompted to accept the remote host's fingerprint and then enter your generated password.
Once the initialization sequence is complete, you will have a working instance of Pwnbox. As noted, please make sure you disconnect your VPN from any other locations before you attempt to initialize a VPN connection to HTB labs from Pwnbox.
Passwords and Spectators
During your Pwnbox interaction, you will need to have the randomly generated user password available in order to perform sudo actions and in order to connect through SSH.
In order to access this password for your current instance, you can click on the View Instance Details drop-down menu right below the Pwnbox stats section.
You can also have Spectators during your Pwnbox interaction. This can be useful for students or demos that you might want to perform in front of a live audience. In order to see the shareable Spectator Links, click on the icon next to the Instance Lifetime section of the Pwnbox menu.
Once you have everything set up and ready to go, let's assume you want to use the VNC connection to access the desktop environment of the Pwnbox instance.
Upon clicking the Open Desktop button, you will receive a popup page with a loading screen as the VNC connection initializes.
Your main tools, the PowerShell terminal and the Parrot terminal can be found at the top of the screen.
Next to these you can notice several other shortcuts and places such as your Applications, Places and System folders. On the right you have a network monitor display and your workspace controls, which you can use to switch between different desktop workspaces.
On the bottom taskbar, you have a few shortcuts. You can edit this menu with whatever else you prefer to use, but the defaults are Firefox, PyCharm, Postman, BurpSuite, Metasploit Framework and VSCodium.
Note that you have a useful clipboard utility at the bottom right. If you want to copy and paste output from the instance to your main OS, you can do so by selecting the text inside the instance that you want to copy, copying it and then clicking the clipboard icon at the bottom right. You will be able to find the text you copied inside and are now able to copy it again outside of the instance and paste it wherever, externally.
From here, you just have to follow the same steps as you would when attacking a Machine the usual way! Make sure an instance of the Machine you want to attack is spawned by visiting its page on this link and proceed to attack it relentlessly until it is conquered.
Tips and Tricks
You can access your personal data on the ~/Desktop/my_data folder and you have a dedicated user_init script for auto-backup.
The internet access has some limitations but we've allowed users to download new needed tools that the Pwnbox might not come equipped with.
Remember, all useful and popular wordlists are saved in the Useful Repos folder on the ~/Desktop/. (we also unzipped rockyou for you <3)
If you want to copy or download anything from the Pwnbox instance, you can use the scp command.
Remember, the 24 hour time allowance for all users is reset at the start of the month and leftover hours do not port over.
As mentioned before, don't forget to terminate your current Pwnbox instance after you're done interacting with it. In order to issue a termination, click on the Terminate button on the Pwnbox menu.