Building a bug bounty box in AWS

I’ve just started doing bug bounties , and it’s been a steep learning curve. The reconnaissance stage is incredibly important, and since the more valid reports you submit, the more programs you are invited to, the list of domains and targets seem to be always growing.

To have this almost constant reconnaissance running from my home PC causes a lot of unnecessary issues, so the easiest thing seemed to be to build it in the cloud. My solution to this was to create a Linux instance in a cloud and write two scripts for the machine. The first script installs everything that’s needed for the second script.

AWS Marketplace has a Kali Linux subscription. Spinning up an instance is pretty simple and the cost can range from completely free ( for a 1 core 2GB machine) to something with a lot more juice.

I used a Kali machine with the follow configurations , which does have a cost to it:

Changed the storage to 32GB
Changed security to only allow incoming sessions from my home IP address
Instance is t2.2xlarge, which is 4 cores and 32GB RAM
ssh with PEM key

Kali no longer uses root as it’s default user, so to login with the PEM key the user is kali:

ssh -i something.pem kali@ec2-(Pubic IPv6 DNS)

Scripts

The scripts can be found here:

The first script is the installation script, and updates the machine and installs the relevant applications. I’ve used a selection of tools written in Go which have become popular in the last few years. A lot by guy’s like Tomnomnom and projects like ProjectDiscovery.

The second script runs the recon, and outputs to files. After creating a file called scope.txt with a list of the domains , the baggy script goes through the following phases:

Finding Assets , Subdomains and URLs
Finding possible LFI’s
Finding possible Open Redirect’s
Finding possible CRLF
Finding possible XSS
Finding possible RCE
Finding possible CVEs

This script won’t definitely find something to report, but it will find somewhere to start looking for something to report.