Log in to your Google account and access Google CloudShell directly at shell.cloud.google.com
Access Google Cloud by logging in with your Google account at the following link: Google CloudShell.
Hack from anywhere — even your smart fridge if it had a browser. With Google CloudShell, you don’t need a high-end device or lightning-fast internet; it’s all cloud magic! So, grab your snack, kick back, and let’s get you set up to hunt bugs while your fridge judges your life choices!
Step 1: Install GoLang
Install GoLang, as it’s the foundation for many tools:
apt install golangStep 2: Install GoLang Tools
Install these essential tools using Go:
(It looks complicated but trust me it’s not)
# Subdomain Enumeration
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
go install -v github.com/tomnomnom/assetfinder@latest
go install -v github.com/owasp-amass/amass/v4/...@master
# HTTP Probing & Fuzzing
go install -v github.com/projectdiscovery/httpx/cmd/httpx@latest
go install -v github.com/ffuf/ffuf/v2@latest
# Archive Data and Pattern Matching
go install -v github.com/tomnomnom/waybackurls@latest
go install -v github.com/tomnomnom/gf@latest
# Vulnerability Scanning
go install -v github.com/projectdiscovery/nuclei/v3/cmd/nuclei@latest
# Subdomain Takeover
go install -v github.com/PentestPad/subzy@latest- Location of Go Tools: Go stores its tools in
/root/bin/go/. - Execution Requirement: Tools will not execute in the cloud shell unless copied to
/usr/local/bin. - To copy tools use: cp /root/bin/go/subfinder /usr/local/bin
- Cloud Environment Reset: Google Cloud resets its settings upon logout.
- Recommended Storage:
- Store tools in the
/toolsdirectory (e.g.,/home/sudouday/tools). - Usage: Copy tools from
/toolsto/usr/local/binas needed.
- 403 Bypass Scripts:
403-bypass.sh bypass-403.sh
Download these scripts from Github and store them in your tools folder: - Dirsearch
Install via apt: apt install dirsearch
Bug Hunting Methodology
1. Gather Subdomains
Use tools like Subfinder, Assetfinder, and Amass to collect subdomains:
- Subfinder:
subfinder -d vk.com -t 100 -v -o subfinder.txt- Amass (with IP brute force):
amass enum -src -ip -brute -d vk.com -o amass.txt- Assetfinder:
cat subdomains.txt | assetfinder > assetfinder.txt2. Sort and Deduplicate Subdomains
Combine results from all tools and filter unique subdomains:
sort subfinder.txt amass.txt assetfinder.txt | uniq > sorted_subdomains.txt3. Identify Live Subdomains
Use Httpx to check for active subdomains:
cat sorted_subdomains.txt | httpx -threads 200 | tee -a live_subdomains.txt4. Retrieve Archived URLs
Fetch historical data using WaybackURLs:
cat live_subdomains.txt | waybackurls | tee -a wayback_urls.txt5. Extract Vulnerable Parameters
Filter for potential vulnerabilities using GF and other techniques:
- Cross-Site Scripting (XSS):
cat wayback_urls.txt | gf xss | tee -a potential_xss.txt- SQL Injection (SQLi):
cat wayback_urls.txt | gf sqli | tee -a potential_sqli.txt- JavaScript Files:
cat wayback_urls.txt | grep js | tee -a js_files.txt6. Manual and Automated Bug Hunting
- Manual Testing: Use the parameters extracted (e.g.,
potential_xss.txtandpotential_sqli.txt) to look for vulnerabilities using burpsuite.
Automated Testing with Nuclei:
cat wayback_urls.txt | nuclei -t /root/nuclei-templates/vulnerabilities
Wasn’t that a breeze? If you enjoyed it, be sure to follow me on Twitter and LinkedIn for more fun adventures in hacking!
