Unlimited file hosting platform with Pwndrop for Red teams on Debian serverTutorials
A complete guide on how create your own file hosting platform with Pwndrop on Debian 9
Pwndrop is a great tool which allows easy uploads and payloads hosting over HTTP and WebDAV. It is a self-deployable file hosting service which can be easily deployed on a Server.
Here at Fixwebnode, as part of our Server Support Services, we regularly help our customers to perform Installation tasks on their Servers.
In this context, we shall look into how to install Pwndrop on a Debian 9 Server.
More about Pwndrop?
Pwndrop helps users to transfer files securely to a Server over HTTP and WebDAV by bypassing the limitations of the server available through Python. It gives the user more options to manage files.
With its user friendly interface, file sharing is made easy in addition to lots of features.
Why Pwndrop is an exceptional tool?
Pwndrop is efficient and some of its features are listed below;
i. Pwndrop can be deployed on your own private Server, quickly and easily.
ii. It allows users to upload and share multiple files in a snap.
iii. Flexibility in its settings whether you want to make a file available or not for download as easy as possible.
iv. You can configure a custom download URLs meant for sharing files irrespective of the structure of the Server directories.
v. Setting up facade files is very easy instead of the original file.
vi. You can even modify MIME type of the shared file to change how it would appear on the browser as soon as download link is clicked.
vii. Setting up automatic redirects to spoof the shared file extension is possible.
viii. Files are served over HTTP, HTTPS and WebDAV.
ix. With a bash one-liner, you can install and set up any configuration.
x. You can also set up Pwndrop to act as a nameserver and resolve successfully as as valid DNS A record for any sub-domain you want to use.
How to install Pwndrop on Debian 9?
Pwndrop can be installed easily and you can integrate a domain to be used by this tool. To start with, get a fresh vps server (Debian 9 preferable) with no DNS, HTTP(S) or web server service running on it.
You can register a domain and set the DNS A record to match with the Server IP address or create an ns1, ns2 mapping to the Server IP address.
Next, log into your Server via an SSH tool such as putty and set the correct hostname with the fully qualified domain name (FQDN) of the domain for the server in the "/etc/hosts" file.
Now proceed with the installation of Pwndrop from its official source code repository on GitHub.
But first get GO language (Golang) which is an open source programming language meant to make building software efficiently, easily and more reliably. You can get it here https://golang.org/doc/install
To download it, choose the Linux version and ensure that you select the latest version.
Download the archive file and extract it into /usr/local, thereby creating a Go tree in /usr/local/go.
Su the command below;
$ tar -C /usr/local -xzf go1.15.3.linux-amd64.tar.gz
In most cases, you might get an error such as;
gzip: stdin: not in gzip format
tar: Child returned status 1 tar:
Error is not recoverable: exiting now
An alternative method of downloading and extracting this file is to do it manually which might take some time but it is fair enough.
Go language file is not in a .zip format, so it is advisable to first download the file to your local machine and then extract it before converting it into a zip format to be uploaded directly to the /usr/local directory of your server.
Once uploaded, you can use the command below to extract it in the server directory;
$ unzip -o filename.zip
Where "filename.zip" refers to the name of the zip file.
Next, add /usr/local/go/bin to the PATH environment variable of the server.
You can do this by adding the following line to your $HOME/.profile or /etc/profile (for a system-wide installation):
Alternatively, to set the path, use the command below to set Go’s root valve;
$ sudo nano ~/.profile
Once the file opens up, Add the following lines to the bottom of the file;
Now save this file and exit.
To commit the changes, run the following command;
$ source ~/.profile
Now, change directory to the home directory with the following command;
$ cd /home
Now rewrite permission to the current user, with the following command;
$ sudo chown -R $(whoami):root /usr/local/* \ && sudo chmod -R g+rwx /usr/local/*
Next you can build Pwndrop application from the official GitHub Source code with the following command;
$ sudo apt-get -y install git make
$ git clone https://github.com/kgretzky/pwndrop
$ cd pwndrop
$ make install
After the installation process, Pwndrop will be running.
Now initialize the application first by entering the following url as per your case to authorize your browser;
(this is a default value; make sure to use the secret path, you've pre-configured)
Where "yourdomain.com" is your domain name.
Then open the admin panel URL in your web browser like this;
Now you can create your admin account or login with your pre-configured information.
Once you log into the Admin panel, you will see a configuration menu where you can set the secret path to something other than /pwndrop.
On your ssh tool, you can use the following commands to administer Pwndrop;
usage: pwndrop [start|stop|install|remove|status] [-config <config_path>] [-debug] [-no-autocert] [-no-dns] [-h]
start : start the daemon
stop : stop the daemon
install : install the daemon using the available system manager (systemd, systemv and upstart supported)
remove : uninstall the daemon
status : check status of the installed daemon
-config : specify a custom path to a config file (def. 'pwndrop.ini' in same directory as the executable)
-debug : enable debug output
-no-autocert : disable automatic TLS certificate retrieval from LetsEncrypt; useful when you want to connect over IP or/and in a local network
-no-dns : do not run a DNS server on port 53 UDP; use this if you don't want to use pwndrop as a nameserver
-h : usage help
By default, a new configuration file pwndrop.ini will be created automatically in the same directory as the executable folder where you can modify or ass your our details. The configuration file looks like this;
listen_ip = "" # the external IP of your pwndrop instance (must be set if you want to use the nameserver feature)
http_port = 80 # listening port for HTTP and WebDAV
https_port = 443 # listening port for HTTPS
data_dir = "./data" # directory path where data storage will reside (relative paths are from executable directory path)
admin_dir = "./admin" # directory path where the admin panel files reside (relative paths are from executable directory path)
[setup] # optional: put in if you want to pre-configure pwndrop (section will be deleted from the config file on first run)
username = "admin" # username of the admin account
password = "secretpassword" # password of the admin account
redirect_url = "https://www.domain.com" # URL to which visitors will be redirected to if they supply a path, which doesn't point to any shared file (put blank if you want to return 404)
secret_path = "/pwndrop" # secret URL path, which upon visiting will allow your browser to access the login page of the admin panel (make sure to change the default value)
If you want to pre-configure your pwndrop instance before deployment using any of the installation scripts, put your configuration file at /usr/local/pwndrop/pwndrop.ini and it will be parsed the moment pwndrop daemon is first executed.
Need to install and configure Pwndrop on your Debian or Ubuntu Server? We are available to help you today.
Pwndrop installation on Debian Server This tutorial will guide you on how to install and configure Pwndrop which is a self-deployable file hosting service allowing to easily upload and download payloads over HTTP and WebDAV.