Motivation

Most people doing bug bounties or penetration testing are running some VPS box where they have faster internet access or tooling installed to avoid black-listing.

With that in mind, the runner running as a process on the VPS can also have access to those tools. BountyHub allows leveraging your machine to actually do the work in the background, while storing results on the server accessible to you from any machine.

If you don't want your result uploaded (for example, screenshots), you can write your workflow to instruct the runner to output data to some directory on your box. The important thing to note is, unless your workflows specifies the uploads, nothing will be uploaded as a result to the server. However, the workdir configured for the runner is going to be cleaned up on every run, so your results will not be preserved on the machine after the run.

Another important argument for running self-hosted runner is, so you can leverage your intercepting proxy and ensure that the scans are proxies through your intercepting proxy.

Runner

Runner is an agent executing workflows. You can start it on your home machine, or a VPS and leave it running.

The server will notify your runner when there is a workflow ready to be executed. The runner does not act as a server, so it is safe to leave it running. The runner also does not come with pre-defined dependencies. As long as you have tools visible to the runner on your machine, you can run any tool you want. If you have custom tools, that is also fine. As far as the runner is concerned, it executes what you specify in your workflow.

Registration

Runners need to be registered in order to execute tasks. During registration, runner will receive its own authentication token. That token allows runner to communicate with the back-end and receive jobs.

To register your runner, visit your profile, and under Runners tab, click New Runner. The New Runner page contains information how to download the runner and how to configure it.

There are few important variables during registration time:

  1. Name: It is the name of the runner. Each runner must have a unique name at the time of registration.
  2. Workdir: The working directory that the runner will use to create temporary files and execute commands from.

To see all options when configuring the runner, you can run the following command:

./runner configure --help

Deletion

You can remove your runners from your profile. Once removed from your profile page, the runner will not be able to connect to the back-end anymore.

On your own machine, the runner registration information is stored in the .runner file. If you remove this file, the runner will still exist on the server, but you will have no way to connect to it anymore.

Running the runner

The runner should be long-running process. When it runs, it keeps the session alive, continuously asking for jobs.

The pre-condition for runner to ask for the job is that the runner is configured.

Running the runner in the foreground

The foreground means that the runner execution will be bound to your terminal, and as long as that terminal is open, the runner will try to receive and run jobs. Once you kill the terminal, the runner will shut down as well.

This mode can be useful when you want to manually control when the runner is online. Although this is not scalable, if you hack from time to time, this may be an option for you. You don't need to waste resources if you hack every two weeks for example.

To run the runner in the foreground (provided that the runner is registered), please run the following:

./runner run

Running the runner in the background

The more useful mode for professionals is to have runners running as a service. When started as a service, the runner will actually be installed using systemd, and will be managed by it. That way, you can exit your terminal session and the runner will stay online, running jobs when they arrive.

To quickly install and run the runner as a service, please run the following command:

sudo ./runner service install && sudo ./runner service start

Limitations

Currently, runner application is only supported on the Linux platform. This may change in the future based on the feedback.

Having said that, it is not impossible to compile it to run on Windows platforms. The runner is written in Rust, but it is not tested on the Windows platform and, thus, not officially supported.