2. Unpatched Oracle E-Business suite instances: Recon: I used a combination of google dorks and shodan to identify Oracle EBS instances for my targets. Google dork: inurl:/OA_HTML/
You could use the same for Shodan. https://www.shodan.io/search?query=OA_HTML
Narrow down to your target and try to discover vulnerabilities. Common vulnerabilities I get bounty for include: default credentials, XSS, open redirect (https://www.exploit-db.com/exploits/43592). The writeup for the XSS and default credentials is here: https://the-infosec.com/2018/11/06/oracle-ebs-security-auditing/
3. Vulnerable Kubernetes instances without authentication: K8s use the etcd as the database and commonly runs on port 2379.
Over and above the common vulnerabilities on Kubernetes information disclosure is common - API keys and other credentials can be leaked without authentication by requesting http://example.com:2379/v2/keys/?recursive=true
14