Skip to content

practisec/pwnedhub

Repository files navigation

PwnedHub is a vulnerable application designed exclusively for PractiSec training courses. PwnedHub contains intentional vulnerability and should never be exposed to the open Internet. This software is NOT Open Source in a traditional sense. See the LICENSE.txt file for more information.

Requirements

  • Docker

Installation and Usage

  1. Install Docker Desktop.

  2. Clone the PwnedHub repository.

    $ git clone https://github.com/lanmaster53/pwnedhub.git
    
  3. Change into the PwnedHub directory.

    $ cd pwnedhub
    
  4. Build the PwnedHub Docker images.

    docker compose build
    
  5. Launch the PwnedHub environment using Docker Compose.

    docker compose up
    
    • To launch as a daemon (no terminal logging), add the -d switch.
  6. Modify the hosts file to create the following records:

    127.0.0.1   www.pwnedhub.com
    127.0.0.1   sso.pwnedhub.com
    127.0.0.1   test.pwnedhub.com
    127.0.0.1   api.pwnedhub.com
    127.0.0.1   admin.pwnedhub.com
    
  7. Access the various target applications and interfaces:

  8. When done using PwnedHub, shut down the Docker environment with the following command:

    docker compose down
    

Information

The PwnedHub environment includes several resources that are not targets.

  • http://admin.pwnedhub.com/inbox/ - A webmail interface for receiving email from out-of-band systems. PwnedHub does not send email to external mail services, so when an application sends an email, this is where the user will receive it.
  • http://admin.pwnedhub.com/config/ - A configuration interface for enabling/disabling security controls and features. Modifying these settings change how the target applications behave.