Cool Guys Don't Look At Explosions ππ£
Dockerized penetration-testing/bugbounty/app-sec testing environment
This tool uses a docker cli. Docker installation is required.
https://docs.docker.com/get-docker
$ go get -u github.com/hahwul/backbomb
.----. .--. .---. .-. .-..----. .----. .-. .-..----.
| {} } / {} \ / ___}| |/ / | {} }/ {} \| `.' || {} }
| {} }/ /\ \\ }| |\ \ | {} }\ /| |\ /| || {} }
`----' `-' `-' `---' `-' `-'`----' `----' `-' ` `-'`----'
Dockerized penetration-testing/bugbounty/app-sec testing environment
Cool Guys Don't Look At Explosions ππ£
Usage:
backbomb [command]
Available Commands:
help Help about any command
init Initialization backbomb docker image
run Start backbomb
update Update hahwul/backbomb image
version Show version
Flags:
--config string config file (default is $HOME/.backbomb.yaml)
-h, --help help for backbomb
Use "backbomb [command] --help" for more information about a command.
$ backbomb init
After initialization, the docker image and volume are prepared π
$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
hahwul/backbomb latest 749a17299401 23 hours ago 3.97GB
$ docker volume list | grep backbomb
local backbomb
run command allows you to omit and drive additional docker execution options, such as --mount.
$ backbomb run
sample
$ backbomb run
INFO[0000] Starting backbomb π£
INFO[0000] The docker client object has been created
INFO[0000] Container creating job successful
INFO[0000] 02267b3954516c500e0d4e826c5c4af8d911a1d391352cd3f915e98975b20f83
INFO[0000] Connecting backbomb container
β /project ll
total 0
... testing all the things π ...
β /project exit
INFO[0014] Start the shutdown process.
INFO[0014] Finish
You can use the update command to update the image.
$ backbomb update
INFO[0000] Start update image to latest
INFO[0000] Pulling backbomb latest image
INFO[0003] Finish!
Coming soon!
The /app path is backbomb PV(Persistent Volume) which stores data that needs to be maintained continuously, including Postgres. This means sharing data between the host and the docker, and of course it is not stored on a remote server. Since db interlocking services such as metasploit and find domain are established in advance, you can use them comfortably without any additional interlocking process.
e.g
β /project msfconsole
...snip..
+ -- --=[ 2087 exploits - 1127 auxiliary - 354 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 7 evasion ]
Metasploit tip: When in a module, use back to go
back to the top level prompt
msf6 > db_status
[*] Connected to msf. Connection type: postgresql.
msf6 > workspace
* default
