In this post, we go over the concept of retrieving shell via ICMP protocol instead of TCP. It can be used in scenarios where TCP egress is blocked. This video used HackTheBox Minion as a lab material.
ICMP reverse shells aren’t that common since most firewalls permit and allow egress TCP connections therefore a regular bash or netcat reverse shell can work if you find an exploit and want to establish a foothold.
The Challenge: A Firewall That Says “No”
The big problem with the Minion machine was that it wouldn’t let me create a normal TCP reverse shell. Every time I tried, the connection would fail. This is where the ICMP reverse shell comes in. Since ICMP (the protocol that ping
uses) is often allowed through firewalls, it can be a great way to get a shell when other methods are blocked.
Getting a Foothold: SSRF and Command Execution
My first step was to find a way to run commands on the machine. I found a Server-Side Request Forgery (SSRF) vulnerability that let me access internal resources, and through that, I found a cmd.aspx
file that allowed me to execute commands.
I tried to get a normal reverse shell, but as expected, the firewall blocked it. So, it was time to bring out the ICMP shell.
The ICMP Reverse Shell
The ICMP reverse shell works with a “master” (my Kali machine) and a “slave” (the target machine). I started by running the icmpsh_m.py
script on my machine to act as the listener.
Next, I needed to get the ICMP reverse shell payload onto the target machine. I used a PowerShell payload and delivered it using the SSRF vulnerability I found earlier. Once the payload was executed on the target, I got a beautiful ICMP reverse shell connection on my terminal.
Privilege Escalation: From IIS to Decoder
Now that I was on the machine, it was time to escalate my privileges. I found a sysadmin_scripts
directory with two scripts: c.ps1
and del_logs.ps1
. The del_logs.ps1
script ran c.ps1
every five minutes, and c.ps1
had “Everyone Allow Full Control” permissions. This was my golden ticket.
I replaced the contents of c.ps1
with a Nishang PowerShell ICMP reverse shell payload and waited. Sure enough, after a few minutes, I caught a new ICMP reverse shell, this time as the “decoder” user.
From Decoder to Administrator
I grabbed the user flag from the desktop and then found a backup.zip
file. Inside the zip file, I found an alternate data stream (ADS) that contained an NTLM hash.
I used Hashcat to crack the hash, which gave me the password “1234test” for the administrator user.
My plan was to use PowerShell to run root.exe
on the administrator’s desktop and get the root flag. Unfortunately, the machine started acting up and I wasn’t able to get the final flag. But, if the machine had been stable, that’s how I would have finished it off.
Technical Commands Used:
Here are the commands I used throughout this process:
ls
icmpsh_m.py
sudo python
cd sysadmin scripts
dir
cat c.ps1
cat logs.txt
ls -l
get-acl
nano
cd ..
cd users
cd decoder.minion
cd desktop
cat user.txt
Expand-Archive
dir unzip
cd unzipped
dir
secret.exe
cmd /c dir /q /r
type
hashcat -m 1000 -a 0
net use
dir
cd administrator
invoke-command