Pwnbox is a customized, online Parrot Security Linux distribution with many hacking tools pre-installed. You can use it to play in our labs without installing a local VM serving the same purpose.
On the Main Platform:
Free Users have a single two hour session of Pwnbox available for the life of their account, as a way to test out it's features. Free users also have limited internet access, with only our own target systems and GitHub being allowed.
VIP users have a limit of 24 hours per month to use their Pwnbox. This limit gets renewed with each month that you renew your VIP Subscription.
VIP+ users have unlimited use of Pwnbox.
Pwnboxes also have a lifetime of their own. Once you spawn one, you can see its remaining time in the panel.
The above is applicable to the Main Platform only. For more information about the limitations of Pwnbox in the context of HTB Academy, see here.
If you're wondering about having the right tool, don't worry! Our custom-made parrot security distro comes equipped with a plethora of tools of the trade. Take a look below at the list:
BurpSuite, FoxyProxy, Wappalyzer, gobuster, dirb, dirbuster, SecLists, PayloadAllTheThings, LinuxPrivChecker, LinPeas, Sublime, PowerShell, Terminal, BloodHound, and the list goes on.
You can access the Pwnbox controls by clicking on the Connection Settings button to the right of your profile picture, at the top right of the page you're on.
This menu is accessible from any page to make navigation easier and provide you with faster access to the tools you need to further your development.
After you land on the Pwnbox menu, you will see the Hours Left counter at the top, followed by the connection settings below. The counter at the top refers to how many available hours of Pwnbox you have left. After you've finished using any Pwnbox instance, it is vital that you terminate it to save this time for later use.
You can proceed with selecting a Pwnbox Location based on the lowest latency reported for each of them. Afterward, you can proceed with selecting the VPN Access and the VPN Server fields that would benefit you the most in terms of latency.
It's now easier than ever to switch VPN servers mid-action on the same menu, so if you ever run into any connection problems further down the line, you can use the same page to switch to a different server.
If you want to learn more about these categories, we have an article explaining Lab Access in greater depth.
Click the button below to learn more about Lab Access:
After selecting your preferred servers, you can click the Start Pwnbox button to start the initialization process. After this is complete, you will be presented with a small preview of what is happening on the desktop of the Pwnbox you've spawned, together with the three available interactions:
Which will open a VNC connection through HTTPS to the box, similar to TeamViewer or other GUI-based remote connections.
Which will terminate the current Pwnbox instance. It would be best if you always used this after you've finished using your VM as it will save you some usage time for the future.
Open SSH Terminal
Which will initialize an SSH connection from your local machine's terminal, where you will be prompted to accept the remote host's fingerprint and then enter your generated password.
Once the initialization sequence is complete, you will have a working instance of Pwnbox. As noted, please make sure you disconnect your VPN from any other locations before you attempt to initialize a VPN connection to HTB labs from Pwnbox.
Terminating Active Instances
Please note that you will not be able to spawn Pwnbox if you already have an instance of a Box running. You must terminate any Box Instances you have and start Pwnbox before spawning a Box.
If you already have a Box running when you go to spawn Pwnbox, you will be met with the following:
You can see which Box you have currently running, and consequently terminate it, by checking the top-left of the website.
Passwords and Spectators
During your Pwnbox interaction, you will need to have the randomly generated user password available to perform sudo actions and connect through SSH.
To access this password for your current instance, you can click on the View Instance Details drop-down menu right below the Pwnbox stats section.
You can also have Spectators during your Pwnbox interaction. This can be useful for students or demos you might want to perform in front of a live audience. To see the shareable Spectator Links, click on the icon next to the Instance Lifetime section of the Pwnbox menu.
You can also find your sudo credentials on the desktop in the
Once you have everything set up and ready to go, let's assume you want to use the VNC connection to access the desktop environment of the Pwnbox instance.
Upon clicking the Open Desktop button, you will receive a popup page with a loading screen as the VNC connection initializes.
You can find your main tools, the PowerShell terminal, and the Parrot terminal at the top of the screen.
Next to these, you can notice several other shortcuts and places such as your Applications, Places, and System folders. You have a network monitor display and your workspace controls on the right, which you can use to switch between different desktop workspaces.
On the bottom taskbar, you have a few shortcuts. You can edit this menu with whatever else you prefer to use, but the defaults are Firefox, PyCharm, Postman, BurpSuite, Metasploit Framework, and VSCodium.
Note that you have a useful clipboard utility at the bottom right. If you want to copy and paste the output from the instance to your main OS, you can do so by selecting the text inside the instance you want to copy, copying it, and then clicking the clipboard icon at the bottom right. You will be able to find the text you copied inside and can now copy it again outside of the instance and paste it wherever, externally.
From here, you have to follow the same steps you would when attacking a Box the usual way! Make sure an instance of the Box you want to attack is spawned by visiting its page on this link and proceed to attack it relentlessly until it is conquered.
Tips and Tricks
You can access your personal data on the ~/Desktop/my_data folder, and you have a dedicated user_init script for auto-backup.
If you want to copy or download anything from the Pwnbox instance, you can use SCP or SFTP.
Remember, the 24 hour time allowance for VIP users is reset at the start of the month, and leftover hours do not port over.
As mentioned before, don't forget to terminate your current Pwnbox instance after you're done interacting with it. To issue a termination, click on the Terminate button on the Pwnbox menu.