As you probably learned from the previous part, it is usually a nice thing to have custom wordlists and tools for your remote axiom instances. In this article, I will briefly explain the features that will help you to understand how to access, modify, execute custom commands, and backup on each instance. It will also include some practical tips and the wordlists I used in my daily bug bounty.
As a prerequisite, make sure you have initialized an instance:
axiom-init <name>
After, you want to check the currently created and running instances:
axiom-ls
There are two main ways you could connect to your running Axiom instances:
axiom-ssh <name>
OR
axiom-connect <name>
After successfully connecting you will notice the following file structure:
Some other tools are used in docker containers or as binaries in other locations. For me personally, modifying ~/lists or ~/recon directories makes most of sense, since I could add my custom tools or wordlists there:
I like to use assetnote’s wordlists most of the time for web fuzzing, so creating the assetnote directory under ~/recon makes perfect sense:
You will have an updated machine with custom wordlists ready to use with fuzzing tools such as gobuster, ffuf or feroxbuster. It is possible to snapshot that machine so next time you spawn new instances, you can use it.
Another interesting feature is using custom or inbuilt Linux commands on selected VPS. But to demonstrate that it could be done on multiple VPS instances at once, it is required to spawn another server:
You could run ifconfig command on the specified instance by:
axiom-exec ifconfig --fleet <instance>
In order to run the same command on multiple instances, firstly you need to select which machines you want to use:
axiom-select "scanner\*"
After selecting instances, you can execute mkdir command:
You will probably like to do some file transfer. It is especially useful for cases when you want to download some results stored in Axiom machines or you might want to add your own wordlists. The simple command that could be used for this:
axiom-scp <from> <to>
As you can see I have specified scanner* as the instances I want to transfer the same file to. Other examples on file upload or download could be easily found on Axiom docs.
Snapshots are like the save files for the games. If you want to save all work done on the server to have continue use it later — you could use axiom-backup:
Running this command usually takes much longer than CLI shows, so my advice is to check it manually. For instance on Digital ocean you could view your snapshots here.
We covered the most often-used features of this awesome tool. I hope it will greatly help on your Bug Bounty journey. It is a great initial point to start hunting, but there is more! If you want to have fewer duplicates, you have to be smarter than most hunters.
To find valid bugs, you will need to use your own tools or add a little twist to less known ones. To have a custom tool running with axiom-scan you will need to know how to create modules, since running axiom-exec every time is not efficient. Stay tuned, since the next part will be about creating your own axiom module!
Subscribe to my page to not miss any upcoming stories. Also follow me on twitter, since I am planning to share some short insights, cool tricks and bypasses there as well.