hunt
The `/hunt` command dispatches vulnerability assessments across two engagement modes: Red Team Assessment (high-severity findings with chaining) and Web Application Penetration Testing (full OWASP coverage). It accepts single targets, wildcards, or target lists, optionally filters by vulnerability class or enables static code analysis and browser-based testing. The command delegates to specialized skills for recon, scoping, finding validation, and reporting while storing credentials in session memory only.
mkdir -p ~/.claude/commands && curl -fsSL https://raw.githubusercontent.com/elementalsouls/Claude-BugHunter/HEAD/commands/hunt.md -o ~/.claude/commands/hunt.mdhunt.md
# /hunt
slim two-track dispatcher. one mode question, one branch, delegate. never asks about SOW — invoking `/hunt` implies SOW is signed.
## step 0 — parse
```
target.com single target
*.target.com wildcard — /recon <base> first, then hunt each live host
targets.txt multi-target — mode question once, applied per line
--vuln-class <X> skip mode question, load only hunt-<X>
--source-code <p|url> static + dynamic
--chrome browser MCP mode
```
wildcard handler: if `$TARGET` begins with `*.`, strip prefix and invoke `/recon <base>` before continuing.
## step 1 — mode dispatcher
skipped if `--vuln-class` is set.
```
question: "what kind of engagement is this for {target}?"
header: "engagement"
options:
1. Red Team Assessment — critical/high impact, chained findings, client deliverable
2. WAPT / BugHunting — full OWASP coverage, platform/program report
```
do not prompt for SOW, scope-of-work, engagement letter, or authorization.
## step 2a — red team
```
mode: redteam
severity gate: critical / high · medium only if it chains via /chain
report: redteam-report-template
```
invoke `hunt-dispatch` skill with `mode=redteam`. hunt-dispatch fingerprints the target, loads platform skills + always-on (`redteam-mindset`, `mid-engagement-ir-detection`), and prints the taxonomy.
## step 2b — wapt
ask again:
```
question: "black box or grey box?"
header: "test mode"
options:
1. Black Box — no credentials, external perspective
2. Grey Box — test credentials provided (or skip)
```
grey box → prompt `creds (user/pass or token), or "skip":`. creds live in session memory only — never written, never logged. late-bind: if user later says "now grey box with X/Y", capture creds, do NOT re-fire mode question.
```
mode: wapt / {blackbox|greybox}
severity gate: all owasp-relevant
report: report-writing (bugcrowd-reporting if target on bugcrowd)
```
invoke `hunt-dispatch` skill with `mode=wapt box=blackbox|greybox`.
## step 3 — sibling delegation
```
before any HTTP touch → /scope (mandatory pre-flight)
recon empty | wildcard → /recon <target>
5+ live hosts surfaced → /surface (P1/P2/Kill list)
confirmed finding → /chain (A→B table lives here, NOT in /hunt)
before any report → /validate (7-Question Gate)
findings ready → /report (suggest, never auto)
session end → /remember (silent)
```
## step 4 — active testing
hand off to the loaded `hunt-*` skills. each skill has its own probes, payloads, validation. do not duplicate that logic here. on every confirmed finding, invoke `/chain` to check the A→B signal table.
## modes
`--source-code <path|url>` — adds hardcoded-secret grep, route mapping, dangerous-function scan before live testing.
`--chrome` — browser MCP for SPA / OAuth / DOM-XSS / WebSocket / file upload.
`--vuln-class <X>` — load only `hunt-<X>`, skip mode question.
## pacing & isolation
20-min rotation: every 20 min ask "am i making progress?" no → rotate. stop signals: 403 everywhere · 20+ payloads identical response · 5+ preconditions · 30+ min stuck on one endpoint.
one session per target. for `targets.txt`, mode question fires once; findings scoped per-target in hunt memory.
## privacy
never prompt for, log, or echo SOW / scope-of-work / engagement-letter content. never persist grey box credentials to disk. client data lives only in `.gitignore`d `targets/<target>/SESSION.md`.
at session end, invoke `/remember` silently (non-fatal).Run autonomous hunt loop on a target — scope check → recon → rank surface → hunt → validate → report with configurable checkpoints. Usage: /autopilot target.com [--paranoid|--normal|--yolo]
Build an exploit chain — given bug A, finds B and C to combine for higher severity and payout. Knows common chain patterns: IDOR→ATO, SSRF→cloud metadata, XSS→ATO, open redirect→OAuth theft, S3→bundle→secret→OAuth. Usage: /chain
On-demand intelligence fetch for a target — CVEs, disclosed reports, new features. Wraps learn.py + hunt memory context. Usage: /intel target.com
Inspect or rotate hunt-memory JSONL files (audit.jsonl, patterns.jsonl, journal.jsonl). Caps file size and keeps N rotated backups so memory does not grow unbounded.
Pick up a previous hunt on a target — shows hunt history, untested endpoints, and memory-informed suggestions. Usage: /pickup target.com
Run full recon pipeline on a target — subdomain enum (Chaos API + subfinder), live host discovery (dnsx + httpx), URL crawl (katana + waybackurls + gau), gf pattern classification, nuclei scan. Outputs to recon/<target>/ directory. Usage: /recon target.com
Log current finding or successful pattern to hunt memory. Auto-fills from /validate output if available. Usage: /remember
Write a submission-ready bug bounty report. Generates H1/Bugcrowd/Intigriti/Immunefi format with CVSS 3.1 score, proof of concept, impact statement, and remediation. Run /validate first. Usage: /report