Scribd
Upload
76 views41 pages

Bash Bug Bounty

This document discusses using Bash scripting for bug bounty hunting. It provides an overview of Bash basics like core utilities, IO streams, subshell tricks, conditionals, and loops. It then describes a methodology for bug bounty reconnaissance using Bash, including enumerating subdomains, checking for CNAME records, fetching web pages, and searching outputs for sensitive information. The document demonstrates many of these techniques in interactive "demo time" sections.

Uploaded by

Abdelouahid Alouane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
76 views41 pages

Bash Bug Bounty

This document discusses using Bash scripting for bug bounty hunting. It provides an overview of Bash basics like core utilities, IO streams, subshell tricks, conditionals, and loops. It then describes a methodology for bug bounty reconnaissance using Bash, including enumerating subdomains, checking for CNAME records, fetching web pages, and searching outputs for sensitive information. The document demonstrates many of these techniques in interactive "demo time" sections.

Uploaded by

Abdelouahid Alouane
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

Bug Bounties With Bash

TomNomNom
Me
● Trainer
● @TomNomNom online
● Question lover
● Mediocre bug hunter
Obligatory Disclaimer
● The Computer Misuse Act is serious business
● Don’t do things unless you have explicit permission
● I am not your supervisor
Bug Bounties
● Companies have bugs
● You find the bugs
● You tell the companies
● The companies give you money
○ ...or ‘swag’
● I like bug bounties :)
Bash
● Bash is a shell
● ...it’s a botany metaphor!
● A shell wraps the kernel so you can launch processes
● There are other shells…
○ zsh
○ fish
○ ksh
○ explorer.exe…
● I like bash :)
Bug Bounties and Bash?
● Why not?
● There are many purpose-made security tools that nearly do what you want
● Sometimes you just have to make tools
Y u no gui?
● GUIs are nice
● They provide better discoverability
● But if they don’t support your use case you’re SOOL (:
Bash Basics
● This is the bit where I run some commands in a terminal and you all say
“oooh!” and “aaah!” like you’re impressed.
● ...seriously, I could really use the ego boost.
Some Core Utils
● grep - search for patterns in files or stdin
● sed - edit the input stream
● awk - general purpose text-processing language
● cat - concatenate files
● find - list files recursively and apply filters
● sort - sort the lines from stdin
● uniq - remove duplicate lines from stdin
● xargs - run a command using each line from stdin as an argument
● tee - copy stdin to a file and to the screen
IO Streams
● A linux process has three standard streams:
○ stdin (file descriptor 0)
○ stdout (file descriptor 1)
○ stderr (file descriptor 2)
● stdin defaults to your keyboard
● stdout and stderr default to your screen
● You can redirect the standard streams
○ ‘< file’ connects a file to stdin
○ ‘> file’ redirects stdout to a file
○ ‘2> file’ redirects stderr to a file
○ ‘&> file’ redirects stdout and stderr to a file
○ ‘2>&1’ redirects stderr to stdout!
● Demo time...
Subshell Tricks
● <(cmd) - returns the output of ‘cmd’ as a file descriptor
○ Handy if you want to diff the output of two commands…
○ diff <(cmd-one) <(cmd-two)
● $(cmd) - returns the output text of ‘cmd’
○ Handy if you want to store the command output in a variable
○ myvar=$(cmd)
Methodology
● I like recon :)
● Let’s:
○ Enumerate subdomains
○ Check for dangling CNAMEs
○ Request all the pages
○ Look for things in the results
● Maybe then I’ll take some requests :)
Enumerating Subdomains
● We could use external services
○ hackertarget.com
○ crt.sh
○ certspotter.com
● But it’s nice to complement that with good-old brute force
● You will need:
○ A target
○ A wordlist
○ Bash :)
Does it resolve? Only humans know for sure
Enter Exit Codes
Conditionals
Demo Time
● Yay! Demo time!
Command Oriented Programming
Tidying It Up A Little
Loops
More Demo Time
● I love demo time (:
Looping Over stdin
Putting It Together
If you liked it you shoulda put a .sh on it
I Like It Generic
Permissions
Dangling CNAMEs
The Plan
● Check subdomains for CNAME records
● Check if those CNAMEs resolve
● ...profit?
● Demo time :)
Getting the CNAMEs
Incase That Demo Went Badly...
Fetch All The Things
● Having lots of targets to look at can be overwhelming
● Dddddddemo time
A Thing To Fetch All The Things
Finding Things In The Output
Some Things To Grep For
● Titles
● Server headers
● Known ‘subdomain takeover’ strings
● URLs (and then go and fetch the URLs!)
○ JavaScript files are nice (:
● Secrets
● Error messages
● File upload forms
● Interesting Base64 encoded strings ;)
○ (eyJ|YTo|Tzo|PD[89])
● Demo time, obv.
When Your Outputs Are Your Inputs
● Let’s look for some s3 buckets…
● D
● E
● M
● O
When In Doubt: Use Your Eyes
● Deeeeeeeemo time
● It’s demo time
● Time for a demo
● I like demos :)
Speeding Things Up
● Pipes give you some parallelisation for free
○ It’s not enough though, is it?
● xargs can run things in parallel…
● Let’s speed up our subdomain brute-forcer
● What time is it?
○ It’s demo time.
A Bit Of A Mess
A Little Cleaner
Bits And Bobs
● Use dtach for long-running tasks
● vim is a major part of my workflow
● When things get complex, consider a different language…
○ I like Go :)
○ Check out meg, comb, unfurl, waybackurls, gf, httprobe, concurl...
Any Requests?
● This is risky isn’t it?
● Questions? I love questions

You might also like