text/plain

Learning Sliver C2 (10) - Sideload

34 minute read Published:

Deep-dive into the sideload command Sliver provides for execution of native shared libraries, including Windows DLLs. I show how to use the command but also how it works under the hood. We cover both Sliver itself as well as Donut, which Sliver depends on. On top there are some brief notes on detection.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (used here in version v1.5.30). For an overview: click here. Introduction The previous post 9 was about making a Windows implant run 3rd party tools. One limitation was that execute-assembly, the command we used, could only run tools written in .NET. In this post we therefore learn about the sideload command. It supports execution of native DLLs in Portable Executable (PE) format.

A Tale of Two XSS in the Rails HTML Sanitizer

12 minute read Published:

Short write-up on CVE-2022-23519 and CVE-2022-23520, two XSS vulnerabilities in the Rails HTML sanitizer. There are some explanations of the vulnerabilities, the though process and code snippets used for fuzzing.
A while ago I was writing an application based on the Rails framework which returned sanitized user input. Its purpose was to build a PoC for an XSS vulnerability in the Rails HTML sanitizer (CVE-2022-32209, which appeared in June 2022). The following is a short write-up of that endeavour and how it turned into the discovery of two additional CVEs. I start with a discussion of the original CVE-2022-32209, proceed with an investigation of the fix and how it turned out to be incomplete (CVE-2022-23520), explain how that motivated additional fuzzing which uncovered additional working attack payloads (CVE-2022-23519) and conclude with a brief outline of the fix (entirely designed and implemented by flavorjones).

Filters and Bypasses - Rare IPv4 Formats for SSRF

5 minute read Published:

A short description of the many ways there are to write down an IP address, along with an online IP address encoder that will create alternative representations for any IP you enter. Useful for filter bypasses when testing for SSRF.
Many applications these days do network requests on behalf of their users. For example, it is often possible to define webhooks, where users can specify URLs to which a server shall send HTTP requests when certain events occur. Other applications may allow uploading images by URL or they may generate PDFs from HTML rendered server-side, which could contain URLs (see here). In all these examples, users provide input to specify the destinations of server-side network requests.

Learning Sliver C2 (09) - Execute Assembly

29 minute read Published:

Deep-dive into the execute-assembly command Sliver provides for .NET assembly execution. I show how to use the command as well as how it works under the hood (Donut). On top there are some notes on detection.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (currently on v1.5.30). For an overview: click here. Introduction We went through the most basic implant commands in post 8, but sometimes you may want to do a bit more than just that. Its great that your Sliver implant can read files or registry keys but it would be better if you could use it as a launchpad for all of the sophisticated attack tools that already exist out there.

Learning Sliver C2 (08) - Implant Basics

20 minute read Published:

An overview of elementary Sliver implant capabilities. Shows how to interact with processes, the file system, network connections and the Windows Registry.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (v1.5.16). For an overview: click here. Introduction If you went through the previous posts, you should be familiar with the C2 protocols and be able to write a basic stager for Sliver implants that runs even if AV is on. Time to look at what you can do with a working C2 connection to a target, which is what this and the next posts will be about.

Learning Sliver C2 (07) - Stagers: Process Injection

22 minute read Published:

A C++ stager for Sliver C2 implants that uses process injection to execute an implant in existing processes. Apart from the stager itself I'll also show how it might be detected by Sysmon logging.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (v1.5.16). For an overview: click here. Introduction The previous post introduced basic custom stagers which run a Sliver implant within the stager process. Real malware however often injects a malicious payload into already existing processes for various reasons. The goal may be to bypass protection mechanisms or to avoid detection. For example, a browser process might be allowed to connect to the internet while other processes get blocked, or even if all processes are allowed, it may look less suspicious if it’s a browser doing that.

Learning Sliver C2 (06) - Stagers: Basics

26 minute read Published:

A demonstration of the various ways in which Sliver C2 implants can be delivered with stagers. First I'll show basic stagers generated by Sliver itself. After that, there will be three custom stagers written in C++, C# and PowerShell.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (v1.5.16). For an overview: click here. Introduction Sliver C2 implants will often be delivered with a small script or program called a “stager”. Such a program downloads implant shellcode from a remote location, such as the C2 server, and then runs the shellcode. At first sight, this sounds unnecessarily complicated. Why not execute the implant directly instead of a stager?

Learning Sliver C2 (05) - Transports in Detail: DNS

9 minute read Published:

A post about Sliver's DNS C2 protocol. I'll show how to use beacons compiled with DNS C2 endpoints and briefly touch upon the kind of traffic they generate. In contrast to HTTP C2 traffic though, DNS C2 traffic looks clearly malicious and cannot be modified to make it stealthy. Thus, a very quick look shall suffice. To enable you to try out DNS C2 in a lab, there is also some info DNS server configuration.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (v1.5.16). For an overview: click here. Introduction In very restricted environments, your target machine may be unable to establish connections to the Internet directly. The previous post 04 - Transports in Detail: HTTP and HTTPS was about Sliver’s HTTP-based C2 protocols, which may allow to get a C2 callback nevertheless if the target can send HTTP requests out via a proxy.

Learning Sliver C2 (04) - Transports in Detail: HTTP and HTTPS

19 minute read Published:

A post about the HTTP(S) Sliver C2 protocol. I'll show how to use beacons compiled with HTTP C2 endpoints, with a focus on illustrating the traffic these beacons generate. There is also some info on how to modify the traffic such that it looks less like the default. Before diving into the subject matter, there are also instructions for adding a web proxy to the lab setup that is built up iteratively in this series of blog posts.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (v1.5.16). For an overview: click here. Introduction This is the second post in a series about Sliver’s C2 protocols. The last one (03 - Transports in Detail: mTLS and WireGuard) was an exploration of the two most recommended and easy-to-use protocols mTLS and WireGuard. However, not all environments allow establishing such connections to your C2 infrastructure.

Learning Sliver C2 (03) - Transports in Detail: mTLS and WireGuard

11 minute read Published:

A post about two of the four Sliver C2 protocols: mutual TLS (mTLS) and WireGuard. I'll show how to use sessions and beacons with these protocols. Using Wireshark, you will also see what kind of traffic could be observed when you deploy such implants. Like in the previous Sliver-related posts, a couple of instructions for additional lab setup are included. I'll add a DNS server to make the traffic look more realistic.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (v1.5.16). For an overview: click here. Introduction After discussing Sliver beacon and session implants in general in 02 - Beacons and Sessions, I’ll now have a more detailed look at the four different C2 protocols you can choose from. This post covers the first two of them, which are mutual TLS (mTLS) and WireGuard. Both are strongly recommended in the official Getting Started Guide.

Learning Sliver C2 (02) - Beacons and Sessions

14 minute read Published:

This post is about how to use Sliver implants (C2 agents) to remote-control target computers from a Sliver C2 server. I'll showcase both the session mode, which establishes an interactive session with immediate command execution and feedback, and the beacon mode, which makes the implant connect back and fetch jobs in regular intervals. To make following along easy, some instructions on lab setup are included.
Sliver C2 This post is part of a tutorial blog post series on Sliver C2 (v1.5.16). For an overview: click here. Introduction This post demonstrates how to use so-called implants to remote-control a target machine from a Sliver C2 server. It is a follow-up to the previous one on Sliver C2 server installation (01 - Installation). To get familiar with the basics of Sliver, we’ll now add a (Windows) target machine to the setup.