From Couch to Cloud: Bug Hunting Made Easy!

Hack from anywhere — even your smart fridge if it had a browser. With Google CloudShell, you don’t need a high-end device or lightning-fast internet; it’s all cloud magic! So, grab your snack, kick back, and let’s get you set up to hunt bugs while your fridge judges your life choices!

Log in to your Google account and access Google CloudShell directly at shell.cloud.google.com

Step 1: Install GoLang

Install GoLang, as it’s the foundation for many tools:

apt install golang

Step 2: Install GoLang Tools

Install these essential tools using Go:
(It looks complicated but trust me it’s not)

# Subdomain Enumeration
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/tomnomnom/assetfinder@latest
go install -v github.com/owasp-amass/amass/v4/...@master

# HTTP Probing & Fuzzing
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/ffuf/ffuf/v2@latest

# Archive Data and Pattern Matching
go install -v github.com/tomnomnom/waybackurls@latest
go install -v github.com/tomnomnom/gf@latest

# Vulnerability Scanning
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest

# Subdomain Takeover
go install -v github.com/PentestPad/subzy@latest

• Location of Go Tools: Go stores its tools in /root/bin/go/.
• Execution Requirement: Tools will not execute in the cloud shell unless copied to /usr/local/bin.
• To copy tools use: cp /root/bin/go/subfinder /usr/local/bin
• Cloud Environment Reset: Google Cloud resets its settings upon logout.
• Recommended Storage:
• Store tools in the /tools directory (e.g., /home/sudouday/tools).
• Usage: Copy tools from /tools to /usr/local/bin as needed.

• 403 Bypass Scripts: 403-bypass.sh bypass-403.sh
  Download these scripts from Github and store them in your tools folder:
• Dirsearch
  Install via apt: apt install dirsearch

Bug Hunting Methodology

1. Gather Subdomains

Use tools like Subfinder, Assetfinder, and Amass to collect subdomains:

• Subfinder:

subfinder -d vk.com -t 100 -v -o subfinder.txt

• Amass (with IP brute force):

amass enum -src -ip -brute -d vk.com -o amass.txt

• Assetfinder:

cat subdomains.txt | assetfinder > assetfinder.txt

2. Sort and Deduplicate Subdomains

Combine results from all tools and filter unique subdomains:

sort subfinder.txt amass.txt assetfinder.txt | uniq > sorted_subdomains.txt

3. Identify Live Subdomains

Use Httpx to check for active subdomains:

cat sorted_subdomains.txt | httpx -threads 200 | tee -a live_subdomains.txt

4. Retrieve Archived URLs

Fetch historical data using WaybackURLs:

cat live_subdomains.txt | waybackurls | tee -a wayback_urls.txt

5. Extract Vulnerable Parameters

Filter for potential vulnerabilities using GF and other techniques:

• Cross-Site Scripting (XSS):

cat wayback_urls.txt | gf xss | tee -a potential_xss.txt

• SQL Injection (SQLi):

cat wayback_urls.txt | gf sqli | tee -a potential_sqli.txt

• JavaScript Files:

cat wayback_urls.txt | grep js | tee -a js_files.txt

6. Manual and Automated Bug Hunting

• Manual Testing: Use the parameters extracted (e.g., potential_xss.txt and potential_sqli.txt) to look for vulnerabilities using burpsuite.

Automated Testing with Nuclei:

cat wayback_urls.txt | nuclei -t /root/nuclei-templates/vulnerabilities

Wasn’t that a breeze? If you enjoyed it, be sure to follow me on Twitter and LinkedIn for more fun adventures in hacking!