From Couch to Cloud: Bug Hunting Made Easy!

1 month ago 43
BOOK THIS SPACE FOR AD
ARTICLE AD

sudo uday

Hack from anywhere — even your smart fridge if it had a browser. With Google CloudShell, you don’t need a high-end device or lightning-fast internet; it’s all cloud magic! So, grab your snack, kick back, and let’s get you set up to hunt bugs while your fridge judges your life choices!

Step 1: Install GoLang

Install GoLang, as it’s the foundation for many tools:

apt install golang

Step 2: Install GoLang Tools

Install these essential tools using Go:
(It looks complicated but trust me it’s not)

# Subdomain Enumeration
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/tomnomnom/assetfinder@latest
go install -v github.com/owasp-amass/amass/v4/...@master

# HTTP Probing & Fuzzing
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/ffuf/ffuf/v2@latest

# Archive Data and Pattern Matching
go install -v github.com/tomnomnom/waybackurls@latest
go install -v github.com/tomnomnom/gf@latest

# Vulnerability Scanning
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Subdomain Takeover
go install -v github.com/PentestPad/subzy@latest

Location of Go Tools: Go stores its tools in /root/bin/go/.Execution Requirement: Tools will not execute in the cloud shell unless copied to /usr/local/bin.To copy tools use: cp /root/bin/go/subfinder /usr/local/binCloud Environment Reset: Google Cloud resets its settings upon logout.Recommended Storage:Store tools in the /tools directory (e.g., /home/sudouday/tools).Usage: Copy tools from /tools to /usr/local/bin as needed.
403 Bypass Scripts: 403-bypass.sh bypass-403.sh
Download these scripts from Github and store them in your tools folder:Dirsearch
Install via apt: apt install dirsearch

Use tools like Subfinder, Assetfinder, and Amass to collect subdomains:

Subfinder:subfinder -d vk.com -t 100 -v -o subfinder.txtAmass (with IP brute force):amass enum -src -ip -brute -d vk.com -o amass.txtAssetfinder:cat subdomains.txt | assetfinder > assetfinder.txt

Combine results from all tools and filter unique subdomains:

sort subfinder.txt amass.txt assetfinder.txt | uniq > sorted_subdomains.txt

Use Httpx to check for active subdomains:

cat sorted_subdomains.txt | httpx -threads 200 | tee -a live_subdomains.txt

Fetch historical data using WaybackURLs:

cat live_subdomains.txt | waybackurls | tee -a wayback_urls.txt

Filter for potential vulnerabilities using GF and other techniques:

Cross-Site Scripting (XSS):cat wayback_urls.txt | gf xss | tee -a potential_xss.txtSQL Injection (SQLi):cat wayback_urls.txt | gf sqli | tee -a potential_sqli.txtJavaScript Files:cat wayback_urls.txt | grep js | tee -a js_files.txtManual Testing: Use the parameters extracted (e.g., potential_xss.txt and potential_sqli.txt) to look for vulnerabilities using burpsuite.

Automated Testing with Nuclei:

cat wayback_urls.txt | nuclei -t /root/nuclei-templates/vulnerabilities

Wasn’t that a breeze? If you enjoyed it, be sure to follow me on Twitter and LinkedIn for more fun adventures in hacking!

Read Entire Article