In this post, we go over the concept of retrieving shell via ICMP protocol instead of TCP. It can be used in scenarios where TCP egress is blocked. This video used HackTheBox Minion as a lab material.

ICMP reverse shells aren’t that common since most firewalls permit and allow egress TCP connections therefore a regular bash or netcat reverse shell can work if you find an exploit and want to establish a foothold.

The Challenge: A Firewall That Says “No”

The big problem with the Minion machine was that it wouldn’t let me create a normal TCP reverse shell. Every time I tried, the connection would fail. This is where the ICMP reverse shell comes in. Since ICMP (the protocol that ping uses) is often allowed through firewalls, it can be a great way to get a shell when other methods are blocked.

Getting a Foothold: SSRF and Command Execution

My first step was to find a way to run commands on the machine. I found a Server-Side Request Forgery (SSRF) vulnerability that let me access internal resources, and through that, I found a cmd.aspx file that allowed me to execute commands.

I tried to get a normal reverse shell, but as expected, the firewall blocked it. So, it was time to bring out the ICMP shell.

The ICMP Reverse Shell

The ICMP reverse shell works with a “master” (my Kali machine) and a “slave” (the target machine). I started by running the icmpsh_m.py script on my machine to act as the listener.

Next, I needed to get the ICMP reverse shell payload onto the target machine. I used a PowerShell payload and delivered it using the SSRF vulnerability I found earlier. Once the payload was executed on the target, I got a beautiful ICMP reverse shell connection on my terminal.

Privilege Escalation: From IIS to Decoder

Now that I was on the machine, it was time to escalate my privileges. I found a sysadmin_scripts directory with two scripts: c.ps1 and del_logs.ps1. The del_logs.ps1 script ran c.ps1 every five minutes, and c.ps1 had “Everyone Allow Full Control” permissions. This was my golden ticket.

I replaced the contents of c.ps1 with a Nishang PowerShell ICMP reverse shell payload and waited. Sure enough, after a few minutes, I caught a new ICMP reverse shell, this time as the “decoder” user.

From Decoder to Administrator

I grabbed the user flag from the desktop and then found a backup.zip file. Inside the zip file, I found an alternate data stream (ADS) that contained an NTLM hash.

I used Hashcat to crack the hash, which gave me the password “1234test” for the administrator user.

My plan was to use PowerShell to run root.exe on the administrator’s desktop and get the root flag. Unfortunately, the machine started acting up and I wasn’t able to get the final flag. But, if the machine had been stable, that’s how I would have finished it off.

Technical Commands Used:

Here are the commands I used throughout this process:

  • ls
  • icmpsh_m.py
  • sudo python
  • cd sysadmin scripts
  • dir
  • cat c.ps1
  • cat logs.txt
  • ls -l
  • get-acl
  • nano
  • cd ..
  • cd users
  • cd decoder.minion
  • cd desktop
  • cat user.txt
  • Expand-Archive
  • dir unzip
  • cd unzipped
  • dir
  • secret.exe
  • cmd /c dir /q /r
  • type
  • hashcat -m 1000 -a 0
  • net use
  • dir
  • cd administrator
  • invoke-command

Video Walkthrough

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles