Gauing+Nuclei for Instant Bounties
Back again with the instant bounties series. Last time we learned how to score instant bounties with Google dorks so check that out if you have not already. Let’s talk about more instant bounty techniques. Note these techniques have landed me P2,P3,P4 bugs multiple times. Stick to the end for the automation.
Let’s go with the Nuclei part today and Gauing in the next part as it requires more understanding.
What is Gauing?
COMMAND: cat all.txt | gauplus -subs -b png,jpg,gif,jpeg,swf,woff,gif,svg -o allUrls.txt ; cat allUrls.txt | httpx -mc 200,403 -o liveallurls.txt
Firstly we use subdomainer to get all.txt, the command for that:
./subdomainer -t rollbar.com -f true
Well, Gau is a tool that stands for getting all URLs, Gauing basically refers to the self-made process of getting all URLs with several custom tweaks which i have perfected over my bounty hunting.
Command:
cat all.txt | gauplus -subs -b png,jpg,gif,jpeg,swf,woff,gif,svg -o allUrls.txt ; cat allUrls.txt | httpx -mc 200,403 -o liveallurls.txt
We exclude things that are not really important such as image and font files:
Here's an entire list we exclude while getting GAUing:
png,jpg,gif,jpeg,swf,woff,gif,svg
After excluding this using -b we further want to see which are alive and which are not, for this we use HTTPX to filter the links which are not working. Keep this aside and in the next part ill tech you the several filters to use to score bugs. Moving on the NUCLEI
NUCLEI
It's an automated scanner that has landed me several bugs via automation.
After running subdomainer, run nuclei with all.txt located inside the websites folder, this will be autogenerated by subdomainer.
Command:
nuclei -t /root/nuclei-templates/ -l all-live.txt -es info -o nucleiall.txt
This excludes the info-related bugs and concentrates on only LOW, MEDIUM and HIGH severity and saves the result to nucleiall.txt
Does it work?
Yes! I am my several students have scored countless bugs, the trick is to automate it and not focus on this. This has landed me several Hall of fame, a recent example:
AUTOMATION:
So to automate this, I have written a shell script, note that a few things need to be installed:
Go and download the script from GitHub:https://github.com/Ravaan21/Chandrahasa/
Everything about the tool is explained in my Github Repo
Gauplus
Httpx
Subdomainer
Now move the script to where you have downloaded the subdomainer.
Install: After installing the three tools:
chmod +x chandrahas.sh
Usage: ./chandrahasa websitename.com
Now go and score some hall of fames, start with rollbar.com and use my script. Comment when you score a HOF. Lemme know if you need the list of vulnerable targets:)
Stay tuned for the next part where i explain how the Gauing is used to score cash instead of Hall of fames;) — Ravaan