Gauing+Nuclei for Instant Bounties

Back again with the instant bounties series. Last time we learned how to score instant bounties with Google dorks so check that out if you have not already. Let’s talk about more instant bounty techniques. Note these techniques have landed me P2,P3,P4 bugs multiple times. Stick to the end for the automation.

Let’s go with the Nuclei part today and Gauing in the next part as it requires more understanding.

What is Gauing?

COMMAND: cat all.txt | gauplus -subs -b png,jpg,gif,jpeg,swf,woff,gif,svg -o allUrls.txt ; cat allUrls.txt | httpx -mc 200,403 -o liveallurls.txt

Firstly we use subdomainer to get all.txt, the command for that:

./subdomainer -t rollbar.com -f true

Well, Gau is a tool that stands for getting all URLs, Gauing basically refers to the self-made process of getting all URLs with several custom tweaks which i have perfected over my bounty hunting.

Command:

cat all.txt | gauplus -subs -b png,jpg,gif,jpeg,swf,woff,gif,svg -o allUrls.txt ; cat allUrls.txt | httpx -mc 200,403 -o liveallurls.txt

We exclude things that are not really important such as image and font files:

Here's an entire list we exclude while getting GAUing:

png,jpg,gif,jpeg,swf,woff,gif,svg

After excluding this using -b we further want to see which are alive and which are not, for this we use HTTPX to filter the links which are not working. Keep this aside and in the next part ill tech you the several filters to use to score bugs. Moving on the NUCLEI

NUCLEI

It's an automated scanner that has landed me several bugs via automation.

After running subdomainer, run nuclei with all.txt located inside the websites folder, this will be autogenerated by subdomainer.

Command:

nuclei -t /root/nuclei-templates/ -l all-live.txt -es info -o nucleiall.txt

This excludes the info-related bugs and concentrates on only LOW, MEDIUM and HIGH severity and saves the result to nucleiall.txt

Does it work?

Yes! I am my several students have scored countless bugs, the trick is to automate it and not focus on this. This has landed me several Hall of fame, a recent example:

FLEX

AUTOMATION:

So to automate this, I have written a shell script, note that a few things need to be installed:

Go and download the script from GitHub:https://github.com/Ravaan21/Chandrahasa/

Everything about the tool is explained in my Github Repo

Gauplus

Httpx

Subdomainer

Now move the script to where you have downloaded the subdomainer.

Install: After installing the three tools:

chmod +x chandrahas.sh

Usage: ./chandrahasa websitename.com

Now go and score some hall of fames, start with rollbar.com and use my script. Comment when you score a HOF. Lemme know if you need the list of vulnerable targets:)

Stay tuned for the next part where i explain how the Gauing is used to score cash instead of Hall of fames;) — Ravaan

From Infosec Writeups: A lot is coming up in the Infosec every day that it’s hard to keep up with. Join our weekly newsletter to get all the latest Infosec trends in the form of 5 articles, 4 Threads, 3 videos, 2 GitHub Repos and tools, and 1 job alert for FREE!