Docker-based suite includes a DNS server, HTTP router, web server, and pipeline runner
UPDATED YesWeHack, Europe’s largest crowdsourced security platform, has launched a Docker-based pwning environment for bug bounty hunters.
The Pwning Machine is equipped with an “all-in-one, customizable, and extensible suite of tools” including a DNS server, HTTP router, web server, and pipeline runner, a blog post on the YesWeHack website has revealed.
Anyone can set up a docker-based environment on a dedicated server in under 10 minutes, and the environment is easy to maintain, claims YesWeHack.
Released yesterday (July 16), the project was first unveiled during virtual hacking conference NahamCon2020 in June, as shown in the video below.
Bug bounty hunters now routinely use third-party services to conduct security testing.
“Setting up a DNS and a web server that can handle wildcard subdomain with HTTPS was always tedious. The beta testers really loved being able to spawn a new domain by simply creating a new folder,” Philippe Lucas (AKA Bitk), the developer of the project, tells The Daily Swig.
The Pwning Machine simplifies and accelerates the process of unearthing security vulnerabilities, which has become more complex with the advent of technologies such as containers and microservices in software development.
Finding and exploiting security flaws often relies on out-of-bound exploitation of vulnerabilities such as blind cross-site scripting (XSS) to admin panel takeover, server-side request forgery (SSRF) to domain controller takeover, and second order remote code execution (RCE).
“With PwnMachine everything is setup for you, with a nice CLI to manage it all,” says Lucas. “You have all the backbone ready, you can now just add need the services you need.”
The most common feedback he has received from early adopters is: “I always wanted to setup something like that with Docker but I was too lazy to do it properly.”
The Pwning Machine
PowerDNS, Nginx, Traefik
The Pwning Machine features a PowerDNS with a simple API to manage rules with a command line interface.
An Nginx server is also booted along with mapping from hostname to path logic.
Traefik, the open source reverse proxy and load balancer, handles SSL certificates and forwards incoming HTTP(s) traffic to the appropriate container.
The pipeline runner, meanwhile, allows bug hunters to run predefined tasks sequences directly on the server.
Security researchers can build complex sequences with small building blocks in order to sidestep the hassle of issuing repetitive command sequences – mirroring the functionality of GitLab’s CI pipeline.
RELATED Contact tracing bug bounty: France’s StopCovid project launches public program
Pwnage features in the pipeline
The next major feature in the pipeline will allow users to automate all recurring parts of the bug bounty process.
“If you always start your bug bounty with some DNS enumeration followed by some basic scanning and maybe some passive recon on the fetched asset for example,” says Lucas, “you will be able to put each step in a docker container and run it on your server. The output of the first container will be forwarded to the next one etc.
“You can see it as a shell interpreter with pipes where every command is a docker container.”
Lucas says that he also wants to add a feature allowing users to copy services made by other hackers directly from GitHub. For example, if someone made a nice XXE service that will automatically generate payload, dtd, ftp exfiltration server and choose to publish it on GitHub. You will be able to add it to your machine with a simple ‘pm pull https://../xxe.git’.”
He’s also been in contact with the creator of Axiom with a view to giving researchers the option of using the Pwning Machine as a back-end for Axiom instead of DigitalOcean.
Fork, develop, amend
YesWeHack is encouraging its hacker community to contribute to ongoing improvements to the self-hosting solution.
“This project, while functional and effective, still is at an early stage,” says YesWeHack. Ethical hackers are invited “to fork, develop, and amend the codebase on the project GitHub”.
Lucas said it’s still too early in development to consider launching a bug bounty program for the Pwning Machine but “every recommendation or pull request to improve the security of the pwning-machine is more than welcome” in the meantime.
Installation requirements and instructions can be found on GitHub.
“While the installation is super simple you still need to have a server ready and a domain name. It's not something you can test in an instant,” says Lucas.
“I will also publish all the services I'm using on my own box. This will give other hackers a better understanding of the capabilities of the pwning-machine.”
This article was updated on July 17 with comments from Philippe Lucas, the developer of the Pwning Machine.
READ MORE YesWeHack: ‘The idea is to be a European alternative to the US bug bounty platforms’