Getting reverse shell from firewalled target
Suppose this scenario:
You are already inside a corporate network. Suppose to find out a RCE in a X service. The machine that hosts that service is behind a network-based firewall, ingress rules and IPS/IDS are not a problem. You don't need to reach the internet, just your machine inside the network, on the other part of that firewall. You have ready a small malware which will grant you a reverse shell when executed, with IP-Port hardcoded.
In that case, what would you do to avoid detection?
upload the malware to the target ( for example running a curl command via RCE ) and execute it, hoping that the egress rules of the firewall will not cause any trouble with the port hardcoded?
upload first a small program which will test egress rules ( for example the first 2000 ports TCP/UDP, 1 port each 5 secs ), and then upload the malware after compiling it based on the output of the test? And what about a blind RCE? How would you read the output in that case? Would be preferable add this code ( the port scan ) to the malware?
Any other idea is more than welcome!
