search
githubEdit

Salseo

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag

hashtag
Compiling the binaries

Download the source code from the github and compile EvilSalsa and SalseoLoader. You will need Visual Studio installed to compile the code.

Compile those projects for the architecture of the windows box where your are going to use them(If the Windows supports x64 compile them for that architectures).

You can select the architecture inside Visual Studio in the left "Build" Tab in "Platform Target".

(**If you can't find this options press in "Project Tab" and then in "<Project Name> Properties")

Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):

hashtag
Prepare the Backdoor

First of all, you will need to encode the EvilSalsa.dll. To do so, you can use the python script encrypterassembly.py or you can compile the project EncrypterAssembly:

hashtag
Python

hashtag
Windows

Ok, now you have everything you need to execute all the Salseo thing: the encoded EvilDalsa.dll and the binary of SalseoLoader.

Upload the SalseoLoader.exe binary to the machine. They shouldn't be detected by any AV...

hashtag
Execute the backdoor

hashtag
Getting a TCP reverse shell (downloading encoded dll through HTTP)

Remember to start a nc as the reverse shell listener and a HTTP server to serve the encoded evilsalsa.

hashtag
Getting a UDP reverse shell (downloading encoded dll through SMB)

Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver).

hashtag
Getting a ICMP reverse shell (encoded dll already inside the victim)

This time you need a special tool in the client to receive the reverse shell. Download: https://github.com/inquisb/icmpsharrow-up-right

hashtag
Disable ICMP Replies:

hashtag
Execute the client:

hashtag
Inside the victim, lets execute the salseo thing:

hashtag
Compiling SalseoLoader as DLL exporting main function

Open the SalseoLoader project using Visual Studio.

hashtag
Add before the main function: [DllExport]

hashtag
Install DllExport for this project

hashtag
Tools --> NuGet Package Manager --> Manage NuGet Packages for Solution...

hashtag
Search for DllExport package (using Browse tab), and press Install (and accept the popup)

In your project folder have appeared the files: DllExport.bat and DllExport_Configure.bat

hashtag
Uninstall DllExport

Press Uninstall (yeah, its weird but trust me, it is necessary)

hashtag
Exit Visual Studio and execute DllExport_configure

Just exit Visual Studio

Then, go to your SalseoLoader folder and execute DllExport_Configure.bat

Select x64 (if you are going to use it inside a x64 box, that was my case), select System.Runtime.InteropServices (inside Namespace for DllExport) and press Apply

hashtag
Open the project again with visual Studio

[DllExport] should not be longer marked as error

hashtag
Build the solution

Select Output Type = Class Library (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)

Select x64 platform (Project --> SalseoLoader Properties --> Build --> Platform target = x64)

To build the solution: Build --> Build Solution (Inside the Output console the path of the new DLL will appear)

hashtag
Test the generated Dll

Copy and paste the Dll where you want to test it.

Execute:

If no error appears, probably you have a functional DLL!!

hashtag
Get a shell using the DLL

Don't forget to use a HTTP server and set a nc listener

hashtag
Powershell

hashtag
CMD

circle-check

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)arrow-up-right Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)arrow-up-right

chevron-rightSupport HackTrickshashtag
PreviousBlockchain & Crypto CurrenciesNextICMPsh

Last updated