Automating Subdomain Enumeration to Discover Critical Vulnerabilities
Hello, I’m Shubham Tiwari, commonly known as Rooter in the cybersecurity space. Today, I’m going to share how I identified a critical vulnerability using automated tools and earned a bounty of $3000 on a target, example.com
. While the term critical can vary based on individual perspectives, here’s the exact process I followed, along with the commands used.
Step 1: Subdomain Enumeration
The first step in bug bounty hunting is to discover all possible subdomains of the target. For this, I used two highly effective tools: Subfinder and Amass.
- Subfinder: This tool helps in passive subdomain discovery.
- Amass: Another powerful tool for enumerating subdomains.Commands:
Commands:
subfinder -d example.com -o subdomains.txtbash
amass enum -passive -d example.com -o amass_subdomains.txt
These commands saved the discovered subdomains into subdomains.txt
and amass_subdomains.txt
, respectively.
Step 2: HTTP Probing with HTTPX
After gathering the subdomains, the next step was to identify which ones were live. I used HTTPX to check the status of these subdomains.
Command:
httpx -l subdomains.txt -o live_subdomains.txt
This command quickly checked for live HTTP(S) services on the discovered subdomains and saved the results to live_subdomains.txt
.
Step 3: URL Crawling with waybackurls, Go, and Katana
Once I had the live subdomains, I crawled them to extract URLs that could have vulnerabilities. I used a combination of tools: waybackurls, Go, and Katana to gather potential attack points.
Commands:
katana -u https://example.com -o urls.txtbash
cat live_subdomains.txt | waybackurls > waybackurls.txt
Waybackurls gathers archived URLs from Wayback Machine and Katana performs deeper crawling to discover potential attack surfaces.
Step 4: Vulnerability Scanning with Nuclei
Next, I used Nuclei to scan the URLs for vulnerabilities. Instead of relying only on default templates, I used custom Nuclei templates that I had previously created, stored in /opt/rooter/
. This was key to finding a Local File Inclusion (LFI) vulnerability.
Command:
nuclei -l live_subdomains.txt -t /opt/rooter/custom_templates/ -o nuclei_report.txt
This command ran Nuclei using my custom templates and output the results to nuclei_report.txt
.
Step 5: Vulnerability Verification
After the automated scan, I manually verified the vulnerability by exploiting the LFI using standard file inclusion payloads, confirming that sensitive server files could be accessed through the vulnerable endpoint.
Step 6: Reporting and Reward
After confirming the LFI vulnerability, I submitted it through the target’s bug bounty program. The vulnerability was validated quickly, and I received a bounty of $3000.
Conclusion
Automation is a powerful tool in the world of bug bounty hunting. By using tools like Subfinder, HTTPX, Waybackurls, Katana, and Nuclei, I was able to identify a critical vulnerability that might have been missed during manual testing. This approach not only saves time but also increases accuracy in finding hidden security flaws.
Best regards,
Shubham Tiwari (Rooter)
Connect with Shubham via:
- Email: shubhamrooter@gmail.com
- LinkedIn: https://www.linkedin.com/in/shubham-tiwari09
- Twitter: https://twitter.com/shubhamtiwari_r
Happy bug hunting! 🐞✨