Building a bug bounty box in AWS
At the beginning of August I started trying to do bug bounties. The learning curve has been steep and it was obvious that the more structured the process is the better I’d do. The reconnaissance stage is incredibly important. Since the more valid reports you submit, the more programs you are invited to, the list of domains and targets is always increasing.
To have this almost constant reconnaissance running from my home PC causes a lot of unnecessary issues, so the easiest thing seemed to be to build it in the cloud. My solution to this was to create a Linux instance in a cloud and write two scripts for the machine.
The first script is the installation script. Using a fresh install of Kali Linux it first updates, and then installs all the tools needed for the reconnaissance stage.
The second script is the reconnaissance script, which I’ve named baggy.sh. This is the reconnaissance script that should find me places to start looking for bounties.
AWS Marketplace has a Kali Linux subscription. Spinning up an instance is pretty simple and the cost can range from completely free ( for a 1 core 2GB machine) to something with a lot more juice.
I used a Kali machine with the follow configurations , which does have a cost to it:
Changed the storage to 32GB
Changed security to only allow incoming sessions from my home IP address
Instance is t2.2xlarge, which is 4 cores and 32GB RAM
ssh with PEM key
Kali no longer uses root as its default user, so to login with the PEM key the user is kali:
ssh -i something.pem kali@ec2-(Pubic IPv4 DNS)
Scripts
The scripts can be found here:
The first script is the installation script, and updates the machine and installs the relevant applications. I’ve used a selection of tools written in Go which have become popular in the last few years. A lot by guys like Tomnomnom and projects like ProjectDiscovery.
The second script (baggy.sh) runs the recon, and outputs to files. After creating a file called scope.txt with a list of the domains , the baggy script goes through the following phases:
Finding Assets , Subdomains and URLs
Finding possible LFI
Finding possible Open Redirect
Finding possible CRLF
Finding possible XSS
Finding possible RCE
Finding possible CVEs
The purpose of this script is to find places to start investigating, not to output a definite bug to report.It finds opportunities for bug bounties.
A second part of this blog will be an explanation of the scripts and what they do.