pwndrop: Self-deployable File Hosting Service


pwndrop: Self-deployable File Hosting Service

Pwndrop is a self-deployable file hosting service specially developed for red teamers allowing them to easily upload and transfer payloads over HTTP and WebDAV.

pwndrop logo

Pwndrop: Self-hosting Your Red Team Payloads

This very useful tool allows the user to securely and quickly transfer files onto a VPS (Virtual Private Server) over HTTP and WebDAV. This tool allows the user to bypass the limitations of the default server available via Python and giving the user much more options. With a user-friendly GUI, the user must simply drag and drop to upload files. The main objective of pwndrop is to make file sharing as simple and easy as possible, while giving the user extra features to aid in red team assessments.

Source: Pwndrop (breakdev.org)

Features:

  • Using your own private VPS (Virtual Private Server) upload and quickly share multiple files
  • Decide to make files available or unavailable for download with a single click
  • Set up custom download URLs, for shared files, without playing with directory structure
  • Set up facade files, which will be served instead of the original file whenever you feel like it
  • Change MIME type of the served file to change browser’s behavior when a download link is clicked
  • Set up automatic redirects to spoof the file’s extension in a shared link
  • Serve files over HTTP, HTTPS and WebDAV
  • Install and setup everything using a bash one-liner
  • Set up pwndrop to work as a nameserver and respond with a valid DNS A record to any sub-domain you choose

Supported Platforms:

  • Linux
  • Windows

Requirements:

  • Go 1.13+
  • Curl
  • Registered domain (recommended but optional)
  • Server with at least 512 MB RAM (recommended but optional)
Note: If you want the pwndrop without a domain, you’ll need to set up local instance, which won’t automatically generate HTTPS certs.

Install

Important: Make sure there aren’t any DNS or HTTP(S) servers running before you attempt to install it.

Option 1

Run the following command:

$ curl https://raw.githubusercontent.com/kgretzky/pwndrop/master/install_linux.sh | sudo bash

Option 2

$ tar zxvf pwndrop-linux-amd64.tar.gz
$ ./pwndrop stop
$ ./pwndrop install
$ ./pwndrop start
$ ./pwndrop status

Option 3

First install the latest version of GO from here, then run the following commands:

$ git clone https://github.com/kgretzky/pwndrop
$ cd pwndrop
$ make
$ make install

Usage

For the quickstart, you can run pwndrop from CLI:

usage: pwndrop [start|stop|install|remove|status] [-config ] [-debug] [-no-autocert] [-no-dns] [-h]

daemon management:
    start           : start the daemon
    stop            : stop the daemon
    install         : install the daemon using the available system manager (systemd, systemv and upstart supported)
    remove          : uninstall the daemon
    status          : check status of the installed daemon

parameters:
    -config         : specify a custom path to a config file (def. 'pwndrop.ini' in same directory as the executable)
    -debug          : enable debug output 
    -no-autocert    : disable automatic TLS certificate retrieval from LetsEncrypt; useful when you want to connect over IP or/and in a local network
    -no-dns         : do not run a DNS server on port 53 UDP; use this if you don't want to use pwndrop as a nameserver
    -h              : usage help

If you want to install pwndrop as a daemon, here are the steps:

  1. Make sure that the pwndrop is running
  2. Open the secret URL to authorize your browser: https://yourdomain.com/pwndrop
  3. Open the admin panel URL in your browser https://yourdomain.com/
  4. Then create your admin account or login
  5. Don’t forget to change the secret path by clicking the conf cog

Configuration

Note: If you want to pre-configure pwndrop before launching, just put your conf file at /usr/local/pwndrop/pwndrop.ini and it will be parsed once the pwndrop daemon is executed.

Once launched, pwndrop will create conf file in the same directory as an executable, but you’ll be able to modify that as you wish. Here is the example config file:

[pwndrop]
listen_ip = "190.33.86.22"                  # the external IP of your pwndrop instance (must be set if you want to use the nameserver feature)
http_port = 80                              # listening port for HTTP and WebDAV
https_port = 443                            # listening port for HTTPS
data_dir = "./data"                         # directory path where data storage will reside (relative paths are from executable directory path)
admin_dir = "./admin"                       # directory path where the admin panel files reside (relative paths are from executable directory path)

[setup]                                     # optional: put in if you want to pre-configure pwndrop (section will be deleted from the config file on first run)
username = "admin"                          # username of the admin account
password = "secretpassword"                 # password of the admin account
redirect_url = "https://www.somedomain.com" # URL to which visitors will be redirected to if they supply a path, which doesn't point to any shared file (put blank if you want to return 404)
secret_path = "/pwndrop"                    # secret URL path, which upon visiting will allow your browser to access the login page of the admin panel (make sure to change the default value)
Documentation Box
Download Box