Setting Up Tailscale on Vultr for Bug Bounty Hunting | Part 2
The reasoning behind this semi-strange setup for connection routing is mainly savings, and the ability to grab a new IP if for whatever reason the original IP gets banned by a WAF. Some WAFs have a bit of an over-aggressive approach, but a lot of the time it’s fully deserved. So if there is some over-scanning or something going on and an IP gets banned, make sure to reflect on what you did wrong and change your approach for next time. These companies are allowing us to test on their networks, which should be respected.
Back to the point though. A lot of people use VPNs to route their traffic through, which can cost betwen $5-$15 per month. I didn’t want to pay for something I might not use a lot, or that I would only need for certain days, so I decided to go with a VPS and chose Vultr. This enables me to spin up multiple VPSs if I wanted to use something like Axiom as well, but more on that later. For my situation, which is routing traffic, if I worked 2 hours a night, 5 days a week, for a month, it would only cost me 28 cents to run! That’s quite a bit of savings.
In this post I wanted to hand over my startup and destruction scripts. At the beginning of any testing the startup script can be run to create an instance on Vultr, run the script that was created on the Vultr platform, and then connect to your Tailscale network and select an exit node. For this script to work, you’ll need SSH keys setup in Vultr, a Vultr API key, a Tailscale API key, and your Tailnet organization name (usually just your email). Here is the bash script:
VULTR_API_KEY="<INSERT HERE>"
TAILSCALE_API_KEY="<INSERT HERE>"
TAILNET_ORG="<INSERT HERE>"
SUDO_PASS="<INSERT HERE>"
curl "https://api.vultr.com/v2/instances" \
-X POST \
-H "Authorization: Bearer ${VULTR_API_KEY}" \
-H "Content-Type: application/json" \
--data '{
"region" : "atl",
"plan" : "vc2-1c-1gb",
"label" : "Bug-Bounty-Tailscale-Auto",
"hostname" : "Bug-Bounty-Tailscale-Auto",
"os_id" : "1743",
"backups" : "disabled",
"ddos_protection" : false,
"sshkey_id" : ["<INSERT HERE>"],
"default_password" : "<INSERT HERE>",
"script_id" : "<INSERT HERE>"
}' > /dev/null
echo "Startup request made via API to Vultr"
sleep 400
echo "Tailscale instance should be running"
VULTR_IP=$(curl "https://api.vultr.com/v2/instances" -X GET -H "Authorization: Bearer ${VULTR_API_KEY}" | jq -r .instances[].main_ip)
echo "Vultr VPS IP: ${VULTR_IP}"
TSIP=$(curl "https://api.tailscale.com/api/v2/tailnet/${TAILNET_ORG}/devices" \
-u "${TAILSCALE_API_KEY}" | jq '.devices[] | select(.hostname=="Bug-Bounty-Tailscale-Auto")' | jq -r .addresses[0])
echo ${TSIP}
echo ${SUDO_PASS} | sudo -s tailscale up --exit-node=${TSIP}
echo "Tailscale Exit Node IP: ${TSIP}"This will take about 6 minutes to run, but that is just the average time for the instance to start up and connect to the Tailscale network.
The next step is the destruction of the instance and its removal from the Tailscale network. This will just require your Vultr API key. It will shut Tailscale down on your machine, log the Vultr instance out from Tailscale which removes the machine, and then it will destroy the instance on Vultr. Here is the bash script for it:
SUDO_PASS="<INSERT HERE>"
VULTR_API_KEY="<INSERT HERE>"
echo ${SUDO_PASS} | sudo -s tailscale down
sleep 2
instanceId=$(curl "https://api.vultr.com/v2/instances" -X GET -H "Authorization: Bearer ${VULTR_API_KEY}" | jq -r .instances[].id)
echo "InstanceID Grabbed: ${instanceId}"
instanceIp=$(curl "https://api.vultr.com/v2/instances" -X GET -H "Authorization: Bearer ${VULTR_API_KEY}" | jq -r .instances[].main_ip)
echo "InstanceIP Grabbed: ${instanceIp}"
ssh -o StrictHostKeyChecking=accept-new root@${instanceIp} 'sudo tailscale logout'
echo "SSH Completed - Tailscale Logout"
sleep 2
curl "https://api.vultr.com/v2/instances/${instanceId}" \
-X DELETE \
-H "Authorization: Bearer ${VULTR_API_KEY}"
sleep 4
echo "VULTR VPS should be in the process of being destroyed"And that’s it! Good hunting!