Gauing for instant bounties.[Conclusion]

Ravaan
3 min readSep 19, 2022

--

So in the previous part, I explained how to Gau, to score instant bounties. If you’ve not read that part then please do else this would not make sense.

So now Gauing for me is a 3 step process. 1st you need to gather all subdomains and when i mean all, I mean it. If you do not have a good subdomain enumeration method then don’t worry you can copy mine.

Let’s say if you don’t want to bother yourself with all of these functionalities then you can simply use my TOOL. This will work if you enter a website and will enumerate all subdomains along with running GAU on all the subdomains and collecting a list.

Part 1: Gold Rush

Gaued are basically all urls but amongst those we are typically interested in few.

For this, I use a TOOL called back-me-up which finds all these above files from the Gaued list.

usage: ./bulkyy.sh -f gauedfile.txt

This has fetched me multiple leaks in past.

Part 2: Diamond Mining

So now you have plenty of footholds but what else can you do? Here’s when things get intesting because now you can look for certain keywords in these documents in order to get critical points. The more you have, the better. Here’s my recon from the dutch government.

Grep things like these which can be sensitive. This has come after lot of trial and errors. Go and check all these urls which you think is relevant. Check file. PDF which can be confidential.

Heres is a list of things to grep for after gauing:

confidential,secret,sensitive,\.doc,\.xlsx,\.csv,employee-only, propreitary.

These often lead to sensitive endpoints or even sensitive files.

Api endpoints:

I will write a separate article on how to exactly test and utilize these but there are certain api enpoints that you can grep for and get good access.

Ex: grep “/api”,”/api/v1”

This has given me big bounties

API testing with gau is another beast and I can write a novel about it but let me know if you want API testing as most are focussed on instant bounty series. I did not hide the endpoints so feel free to escalate and find more.

Follow my procedures and I can guarantee that you are bound to be successful. Remember that this only works in wide-scope programs so choose wisely. Invictus!

DISCORD:

https://discord.gg/z8zvwUDMup

--

--

Ravaan

Red Teamer/BBHH. APPLE HOF ADOBE HOF, Governments to fortune 500 companies, UN. Reaseacher/Malware. CVE Hunting. Bookworm. CEH(prac)