Writeup - Easy 130$ Bounty: User to Admin

Mastering Nuclei: The Ultimate Vulnerability Scanning Guide

Fast, customizable vulnerability scanner based on simple YAML templates

What is Nuclei?

Nuclei is a fast, template-based vulnerability scanner designed to be scalable across large networks. It uses YAML template files to model various security checks, making it extremely flexible and customizable for security professionals.

Developed by ProjectDiscovery, Nuclei leverages community-driven templates to detect vulnerabilities, misconfigurations, and exposure of sensitive data across IT infrastructure.

Official Repository: Nuclei on GitHub

Why Use Nuclei?

• Speed and Efficiency: Built in Go, Nuclei is designed for high-performance scanning
• Template-Based: Easy to create and customize detection templates
• Community-Driven: Thousands of templates maintained by security researchers
• Comprehensive Coverage: Detects CVEs, misconfigurations, and exposed sensitive data
• Integration Friendly: Works well with other tools and CI/CD pipelines

Installation

Getting Nuclei on your system is straightforward with multiple options available.

Using Go:

go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

Using Docker:

docker pull projectdiscovery/nuclei:latest

Pre-compiled Binaries:

Download the latest version for your OS from the Official Releases page.

On Kali Linux:

sudo apt update && sudo apt install nuclei

Update Templates:

nuclei -update-templates

Core Concepts: Templates and Tags

Nuclei uses YAML templates to define detection logic. Each template contains:

• ID: Unique identifier for the template
• Info: Metadata about the template (name, author, severity, etc.)
• Requests: HTTP requests to make
• Matchers: Conditions to determine if the target is vulnerable
• Extractors: Methods to extract data from responses

Example Template Structure:

id: example-template
info:
  name: Example Detection Template
  author: security-researcher
  severity: medium
  description: Detects Example Vulnerability

requests:
  - method: GET
    path:
      - "{{BaseURL}}/vulnerable-endpoint"

    matchers:
      - type: word
        words:
          - "vulnerable string detected"

Basic Nuclei Usage

Let's start with the most common use cases for Nuclei.

Scan a Single Target:

nuclei -u https://example.com

Scan Multiple Targets from a File:

nuclei -l targets.txt

Use Specific Templates:

nuclei -u https://example.com -t /path/to/templates/

Filter by Severity:

nuclei -u https://example.com -severity critical,high

Filter by Tags:

nuclei -u https://example.com -tags cve,xss

Advanced Scanning Techniques

Rate Limiting:

Control the number of requests per second to avoid overwhelming targets.

nuclei -u https://example.com -rate-limit 100

Concurrent Requests:

Adjust the number of concurrent hosts to scan.

nuclei -l targets.txt -concurrency 50

Template Debugging:

Debug templates to see requests and responses.

nuclei -u https://example.com -t template.yaml -debug

Save Results to File:

Output results in various formats for later analysis.

nuclei -u https://example.com -o results.txt
nuclei -u https://example.com -o results.json -json

Proxy Support:

Route traffic through a proxy for debugging or privacy.

nuclei -u https://example.com -proxy http://127.0.0.1:8080

Template Management

Nuclei's power comes from its template ecosystem. Here's how to manage them effectively.

List Installed Templates:

nuclei -tl

Search for Templates:

nuclei -tl -author geeknik
nuclei -tl -tags cve
nuclei -tl -severity high

Update Templates:

nuclei -update-templates

Use Specific Template Directory:

nuclei -u https://example.com -t /path/to/custom-templates/

Integration with Other Tools

Nuclei works exceptionally well with other security tools, creating powerful workflows.

With Subdomain Enumeration Tools:

subfinder -d example.com | nuclei -t /path/to/templates/

With HTTP Proxies:

cat live-urls.txt | nuclei -t /path/to/templates/ -proxy http://127.0.0.1:8080

In CI/CD Pipelines:

nuclei -u https://$STAGING_URL -severity critical,high -json -o results.json

With Notifications:

nuclei -u https://example.com -severity critical -json | jq . | tee -a results.json

Creating Custom Templates

One of Nuclei's most powerful features is the ability to create custom detection templates.

Basic Template Structure:

id: custom-template

info:
  name: Custom Vulnerability Detection
  author: your-name
  severity: medium
  description: Detects a specific vulnerability

requests:
  - method: GET
    path:
      - "{{BaseURL}}/vulnerable-endpoint"

    matchers:
      - type: word
        words:
          - "vulnerable indicator"
        condition: and

Advanced Template with Dynamic Payloads:

id: advanced-template

info:
  name: Advanced Detection Template
  author: your-name
  severity: high

requests:
  - method: POST
    path:
      - "{{BaseURL}}/login"

    body: "username=admin&password={{base64('password')}}"
    
    matchers:
      - type: word
        words:
          - "Welcome, admin"

Template with Extractors:

id: data-extraction-template

info:
  name: Data Extraction Example
  author: your-name

requests:
  - method: GET
    path:
      - "{{BaseURL}}/api/users"

    extractors:
      - type: json
        json:
          - '.email'

Best Practices for Effective Scanning

1. Always Update Templates

Keep your templates updated to detect the latest vulnerabilities.

nuclei -update-templates

2. Use Appropriate Rate Limiting

Adjust request rates based on target sensitivity and your network bandwidth.

nuclei -l targets.txt -rate-limit 150

3. Filter Results Effectively

Use severity and tags filters to focus on important findings.

nuclei -u https://example.com -severity critical,high -tags exposure,misconfig

4. Validate Critical Findings

Always manually verify critical vulnerabilities before reporting them.

5. Respect Scope and Authorization

Only scan targets you're authorized to test and stay within scope.

Real-World Use Cases

1. Bug Bounty Hunting

subfinder -d target.com | httpx | nuclei -t /path/to/templates/ -severity critical,high -o findings.txt

2. Internal Network Assessment

nmap -sL -iL internal_ips.txt | awk '/Nmap scan report/{print $5}' | nuclei -t /path/to/templates/

3. CI/CD Security Testing

nuclei -u https://staging.example.com -severity critical,high -json -o scan-results.json

4. Emergency Vulnerability Response

nuclei -l all-targets.txt -t cves/ -id CVE-2021-44228 -o log4j-findings.txt

Conclusion

Nuclei has revolutionized vulnerability scanning by making it fast, customizable, and community-driven. Its template-based approach allows security professionals to quickly adapt to new threats and create targeted detection logic for specific environments.

Whether you're a bug bounty hunter, penetration tester, or security engineer, mastering Nuclei will significantly enhance your ability to identify vulnerabilities at scale.

Further Reading & Resources:

• Official Nuclei Documentation
• Nuclei ProjectDiscovery Website
• Official Nuclei Templates
• ProjectDiscovery Blog

Disclaimer: Always ensure you have explicit permission to scan your target systems. Unauthorized scanning is illegal and unethical. Use these skills responsibly.

Happy Scanning!

Quick Navigation

• What is Nuclei?
• Installation
• Core Concepts
• Basic Usage
• Advanced Techniques
• Template Management
• Integration
• Custom Templates
• Best Practices
• Use Cases

Popular Template Categories

• CVEs
• Misconfigurations
• Exposed Panels
• Default Credentials
• Technology Detection
• Sensitive Data Exposure

Related Tools

• Subfinder
• HTTPx
• Naabu
• DNSx
• FFUF

Practice Platforms

• TryHackMe
• HackTheBox
• VulnHub
• PortSwigger Web Security Academy

This blog post is for educational purposes only. Always practice ethical hacking and obtain proper authorization before testing any systems.