How safe is Pwnbox?

Hey all, I just read about Pwnbox and wanted to try it but before I do, I wanted to ask how safe it is to use on my browser. I know HTB has a warning not to connect to HTB on production boxes via VPN (for obvious reasons) but it seems Pwnbox being browser-based may not have similar concerns.

Are there any similar concerns with Pwnbox or is it well sandboxed?

What do you mean by safe in this context?

Hi @TazWake in the context of another HTB user compromising your box. From the HTB page “Use it responsibly and don’t hack your fellow members…”. and this How to be safe on HTB - Off-topic - Hack The Box :: Forums

“We strongly recommend not to use your production PC to connect to the HTB Network. Build a VM or physical system just for this purpose. HTB Network is filled with security enthusiasts that have the skills and toolsets to hack systems and no matter how hard we try to secure you, we are likely to fail :stuck_out_tongue: We do not hold any responsibility for any damage, theft or loss of personal data although in such event, we will cooperate fully with the authorities.”

I don’t know enough about the new service to make that determination.

For further context, I use a Kali VM because of the tools but to also isolate my host while doing HTB.

@privesc said:

Hi @TazWake in the context of another HTB user compromising your box. From the HTB page “Use it responsibly and don’t hack your fellow members…”. and this How to be safe on HTB - Off-topic - Hack The Box :: Forums

Ok. In a very simplistic sense “safe” is only something you can assess.

Really, rather than use the vague sense of “safe” (because nothing on HTB will hurt you, ever), you need to think more about what it is you are concerned may happen.

Then you can establish if there is a risk from what you are doing, and if so, decide if it is worth mitigating.

The “Use it responsibility” comment is largely boilerplate and a way of establishing a behaviour standard (which can be enforced), rather than warning you there is a risk of people finding your IP and trying to hack into your machine.

I don’t know enough about the new service to make that determination.

If you identify what you think might be a problem, it might be possible to work out if there is an issue for you or not. The general “am I safe doing this” is difficult to ever answer and someone will always come up with a counter argument to anything you decide.

For further context, I use a Kali VM because of the tools but to also isolate my host while doing HTB.

Ok. If your concern is someone hacking into your Pwnbox OS and then breaking out of the browser it’s running in to attack your host machine, this is probably unlikely but not impossible.

In the same vein, it is unlikely - but not impossible - that someone can hack into your Kali VM and break out of the virtualisation to attack the host.

Largely it boils down to what services you run, how you configure it, how you access it, what you use it for, what credentials you use etc. It is probably the same with the PwnBox machines.