██████╗ ███████╗██╗ ██╗ ██╗ ██████╗ ██╗██╗ ██╗
██╔══██╗██╔════╝██║ ██║███║██╔═████╗███║╚██╗██╔╝
██║ ██║█████╗ ██║ ██║╚██║██║██╔██║╚██║ ╚███╔╝
██║ ██║██╔══╝ ╚██╗ ██╔╝ ██║████╔╝██║ ██║ ██╔██╗
██████╔╝███████╗ ╚████╔╝ ██║╚██████╔╝ ██║██╔╝ ██╗
╚═════╝ ╚══════╝ ╚═══╝ ╚═╝ ╚═════╝ ╚═╝╚═╝ ╚═╝
- What Is This?
- Quick Start
- T3MP3ST — AI-Powered War Room
- Main Commands
- Tool Matrix by Phase
- Tools by Category
- Report Example
- Workflow
- Practice Without Touching Real Programs
- Project Structure
- Important Rules
- Troubleshooting
- Learning Resources
- Changelog
A workspace built around the real bug bounty workflow on HackerOne: choose a program, document scope, scan within boundaries, chain findings, and report in a format triagers accept fast. The 400+ generic pentesting arsenal and local VM lab are available as support — not the entry point.
┌─────────────────────────────────────────────────────────────────────┐
│ │
│ SCOPE RECON/VULN REPORT │
│ ═════ ══════════ ══════ │
│ │
│ ┌───────────┐ ┌───────────────────┐ ┌───────────────┐ │
│ │programs/ │────▶ bugbounty-hunter ───▶ report.md │ │
│ │*.md │ │ .sh │ │ (H1 template) │ │
│ └───────────┘ └────────┬──────────┘ └───────┬───────┘ │
│ scope check │ │ │
│ (blocks if not ▼ ▼ │
│ documented) ┌─────────────┐ ┌──────────────┐ │
│ │auto-scanner │ │ Hacktivity │ │
│ │ (arsenal) │ │ dedup check │ │
│ └─────────────┘ └──────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────┘
cd bugbounty-lab101
chmod +x bugbounty/*.sh auto-scanner/*.shcd bugbounty
./bugbounty-hunter.sh new program-name
# Edit ../programs/program-name.md with the EXACT scope from the H1 policy./bugbounty-hunter.sh scope target.com # must say "Scope OK" before proceeding
./bugbounty-hunter.sh full target.com # recon -> vuln -> brute -> secrets -> api -> report./bugbounty-hunter.sh report target.com
# Complete bugbounty/reports/target.com/report-YYYYMMDD.md with the H1 templateBefore submitting, read docs/hackerone-workflow.md (Hacktivity dedup, report quality, post-submission steps).
This lab integrates T3MP3ST as its offensive security engine — a multi-agent framework that turns your AI coding agent into a zero-day hunter.
# 1. Clone T3MP3ST into the lab (it's .gitignored, separate repo)
git clone https://github.com/DevCop95/T3MP3ST t3mp3st
cd t3mp3st && npm install && cd ..
# 2. Configure API keys
cp t3mp3st/.env.example t3mp3st/.env
# Edit t3mp3st/.env with your LLM provider key(s)
# 3. Start the server
./start-server.sh
# War Room → http://127.0.0.1:3333/ui/| Feature | Description |
|---|---|
| War Room UI | Web interface for mission planning and execution |
| Recon Engine | nmap, DNS, HTTP fingerprinting — 90.1% pass@1 on XBEN |
| Exploit Loop | 8-operator kill chain (Recon → Scanner → Exploiter → ...) |
| Payload DB | 200+ payloads (SQLi, XSS, SSTI, LFI, SSRF, CMDi, XXE) |
| MCP Server | node t3mp3st/dist/mcp-server.js for agent integration |
| Evidence Vault | Persistent findings, evidence, and retest tracking |
T3MP3ST works without API keys by connecting your local AI agent (Claude Code, Codex, Hermes). In the War Room UI, open Settings and connect your agent — then describe targets in plain English.
| Command | Description | Example |
|---|---|---|
bugbounty-hunter.sh new <prog> |
Create scope tracker for a program | ./bugbounty-hunter.sh new acme-corp |
bugbounty-hunter.sh scope <target> |
Verify target is in scope | ./bugbounty-hunter.sh scope target.com |
bugbounty-hunter.sh full <target> |
Full pipeline (recon to report) | ./bugbounty-hunter.sh full target.com |
bugbounty-hunter.sh recon <target> |
Recon only | ./bugbounty-hunter.sh recon target.com |
bugbounty-hunter.sh report <target> |
Generate report with H1 template | ./bugbounty-hunter.sh report target.com |
pentest.sh <url> |
Generic arsenal (400+ tools) | pentest.sh https://target.com |
pentest.sh matrix |
Full tool matrix | pentest.sh matrix |
pentest.sh search <function> |
Search for a tool | pentest.sh search sql_injection |
pentest.sh express <url> |
Express scan | pentest.sh express https://target.com |
pentest.sh install |
Install missing tools | pentest.sh install |
./start-server.sh |
Start T3MP3ST War Room (AI-powered) | ./start-server.sh |
npm run server |
Start T3MP3ST from t3mp3st/ dir | cd t3mp3st && npm run server |
All active scanning commands in bugbounty-hunter.sh verify scope against programs/*.md before touching the target.
╔═════════════════════════════════════════════════════════════════════════╗
║ ║
║ PHASE 1 PHASE 2 PHASE 3 PHASE 4 ║
║ RECON SCANNING ENUMERATION EXPLOITATION ║
║ ║
║ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ ║
║ │ nmap │─▶ nikto ──▶ enum4l ──▶ sqlmap
║ │ amass │ │ gobuster │ │ smbclnt │ │metasploit │ ║
║ │ dig │ │ whatweb │ │ ldapsrc │ │ xsser │ ║
║ │ whois │ │ wfuzz │ │ rpcclnt │ │ wpscan │ ║
║ └───────────┘ └───────────┘ └───────────┘ └───────────┘ ║
║ │ │ │ │ ║
║ ▼ ▼ ▼ ▼ ║
║ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ ║
║ │ theHarv │ │ dirb │ │ snmpwalk │ │ msfvenom │ ║
║ │ recon-ng │ │ ffuf │ │ nbtscan │ │ searchsp │ ║
║ └───────────┘ └───────────┘ └───────────┘ └───────────┘ ║
║ ║
╠═════════════════════════════════════════════════════════════════════════╣
║ ║
║ PHASE 5 PHASE 6 PHASE 7 PHASE 8 ║
║ BUSINESS LOGIC API TESTING CHAIN ATTACKS REPORT ║
║ ║
║ ┌───────────┐ ┌───────────┐ ┌───────────┐ ┌───────────┐ ║
║ │auth flow │ │ swagger │ │CORS+CSRF │ │ H1 │ ║
║ │race cond │ │ graphql │ │SSRF+RCE │ │ REPORT │ ║
║ │mass assn │ │ nuclei │ │IDOR+priv │ │ .md │ ║
║ └───────────┘ └───────────┘ └───────────┘ └───────────┘ ║
║ ║
╚═════════════════════════════════════════════════════════════════════════╝
┌────────────────────────────────────────────────────────────────┐
│ NETWORK SCANNING: │
│ nmap masscan zmap unicornscan │
│ netdiscover │
│ │
│ DNS ENUMERATION: │
│ dnsrecon dig host dnsenum │
│ dnsmap sublist3r subfinder subbrute │
│ dnsgen gotator fierce dnspoodle │
│ │
│ HTTP RECON: │
│ httpx httprobe gau waybackurls │
│ katana gospider hakrawler linkfinder │
│ jsfinder secretfinder paramspider arjun │
│ │
│ CLOUD RECON: │
│ s3scanner cloud_enum lazys3 bucket_finder │
│ │
│ SUBDOMAIN TAKEOVER: │
│ subjack subover nuclei canari │
└────────────────────────────────────────────────────────────────┘
┌─────────────────────────────────────────────────────────────────┐
│ SCANNERS: nikto whatweb wapiti arachni skipfish │
│ DIRECTORY BRUTE: gobuster dirb feroxbuster dirsearch │
│ FUZZING: wfuzz ffuf arjun x8 paramspider │
│ VULNERABILITIES: sqlmap xsser dalfox commix xsstrike │
│ CMS: wpscan joomscan droopescan cmseek cariddi │
└─────────────────────────────────────────────────────────────────┘
# Bug Bounty Report
## Platform
HackerOne
## Program
[program name]
## Researcher
[your-handle]
## Target
prime.example.com
## Weakness (H1 taxonomy)
CWE-538: Insertion of Sensitive Information into Externally-Accessible File
## Executive Summary
S3 bucket with listing enabled exposes N files without authentication,
including internal HR documents.
## Steps to Reproduce
1. curl -k https://prime.example.com/file-service/static/
2. ...
## Impact
[Concrete business impact, not generic]Full template at bugbounty/templates/report-template.md.
┌─────────────────────┐
│ Choose H1 Program │
└──────────┬──────────┘
▼
┌─────────────────────┐
│ bugbounty-hunter.sh │
│ new <program> │
└──────────┬──────────┘
▼
┌─────────────────────┐
│ Document scope in │
│ programs/*.md │
└──────────┬──────────┘
▼
┌────────────────────────────────┐
│ bugbounty-hunter.sh full <t> │
└────────────────┬───────────────┘
│
┌──────────────────┼──────────────────┐
▼ ▼ ▼
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ RECON/VULN │ │ MANUAL VERIF │ │ CHAIN ATTACK │
│ (scripts) │ │ (manual) │ │ (manual) │
└──────┬───────┘ └──────┬───────┘ └──────┬───────┘
└──────────────────┼──────────────────┘
▼
┌─────────────────────┐
│ Dedup in Hacktivity│
└──────────┬──────────┘
▼
┌─────────────────────┐
│ Submit H1 Report │
└─────────────────────┘
Full methodology at docs/hackerone-workflow.md.
legacy-vm-practice/ is yours: private IPs you spin up, no third-party scope to respect. Use it to learn new techniques before applying them to a real program.
cd legacy-vm-practice
./scripts/setup_network.sh # requires sudo
./scripts/download_vms.sh
./scripts/start_lab.sh
./scripts/verify_lab.shSee legacy-vm-practice/README.md and legacy-vm-practice/docs/quickstart.md.
bugbounty-lab/
│
├── README.md # This file — overview + usage guide
│
├── programs/ # Scope tracker: one .md per H1 program
│ ├── README.md
│ └── _template.md
│
├── bugbounty/ # Core bug bounty engine
│ ├── bugbounty-hunter.sh # scope/new/recon/vuln/brute/secrets/api/report
│ ├── QUICK-REFERENCE.md # Commands, payloads, bounty by severity
│ ├── templates/report-template.md
│ └── reports/<target>/ # Output per phase + final report
│
├── auto-scanner/ # Generic arsenal (400+ tools, not H1-specific)
│ ├── pentest.sh # Unified command (incl. `pentest.sh bounty ...`)
│ ├── tools/registry.sh
│ ├── burp-integration/
│ └── reports/
│
├── docs/
│ ├── hackerone-workflow.md # H1 methodology: choose program, dedup, quality
│ ├── ai-assisted-code-review.md # AI-assisted code/JS review
│ ├── known-cve-watchlist.md # Most reported CVEs in Hacktivity
│ ├── known-cwe-watchlist.md # Most reported vuln classes in Hacktivity
│ └── recursos/learning-resources.md
│
└── legacy-vm-practice/ # Classic VM lab (DVWA, Metasploitable...)
- Never scan an asset that is not documented as In Scope in
programs/<program>.md.bugbounty-hunter.shblocks it by default —FORCE=1is a signal that scope is missing, not a normal shortcut. - Respect each program's exclusions and special rules (rate limits, excluded vuln types, test accounts).
- Check for duplicates in Hacktivity before reporting.
- Do not run destructive actions against real targets — see the checklist in
bugbounty/templates/report-template.md. legacy-vm-practice/is yours: private IPs you spin up, no third-party scope. Use it to learn new techniques.
bugbounty-hunter.sh says "No scope file"
Run ./bugbounty-hunter.sh new <program> and add the domain to the ## In Scope section of the generated file in programs/.
Missing tools (subfinder, nuclei, httpx, etc.)
./auto-scanner/pentest.sh installVM lab won't start
See troubleshooting in legacy-vm-practice/README.md (Host-Only Adapter, NAT, firewall).
| Resource | Focus |
|---|---|
| Hacker101 | CTFs + HackerOne videos, badges for private programs |
| HackerOne Hacktivity | Public reports — study quality and avoid duplicates |
| HackerOne Directory | Choose program by scope and response stats |
| PortSwigger Web Security Academy | Technical fundamentals of web vulnerabilities |
Full list at docs/recursos/learning-resources.md.
╔══════════════════════════════════════════════════════════════════════════════╗
║ ║
║ WARNING ║
║ ║
║ This lab is designed for AUTHORIZED bug bounty via HackerOne. ║
║ ║
║ Only test assets within the program's published scope ║
║ bugbounty-hunter.sh blocks targets without documented scope in programs/ ║
║ Unauthorized use of these tools is ILLEGAL ║
║ Respect each program's exclusions and special rules ║
║ Always use these tools ETHICALLY and RESPONSIBLY ║
║ ║
╚══════════════════════════════════════════════════════════════════════════════╝
┌─────────────────────────────────────────────────────────────────┐
│ │
│ RECON 200+ tools ████████████████ 100% │
│ ENUMERATION 60+ tools ██████████░░░░░░ 60% │
│ WEB 20+ tools ████░░░░░░░░░░░░ 20% │
│ EXPLOITATION 80+ tools ████████████████ 80% │
│ POST-EXPLOIT 50+ tools ████████████░░░░ 60% │
│ │
│ TOTAL: 400+ categorized tools │
│ │
└─────────────────────────────────────────────────────────────────┘
See CHANGELOG.md for the full list of changes.
+=============================================================+
| |
| Bug Bounty Lab • HackerOne • 400+ Tools |
| |
+=============================================================+
Happy hunting.