Fun in the AWS with Sliver C2 Part-1

Fun in the AWS with Sliver C2 Part-1

Specifications

  1. EC2 instance --> t2.micro

  2. OS --> Ubuntu 20.04LTS (Focal Fossa)

  3. Go Version --> go1.20.1 linux/amd64

  4. Sliver Version --> 1.5.34

  5. Mingw Version --> 7.0.0-2

Preparation

My journey began with the launch of an Ubuntu 20.04LTS t2-micro (free tier) instance. I will recommend configuring the security group to only allow access from your own IP for better OpSec. After launching the instance, I did sudo chmod 400 <key.pem> to make it readable only to my user account and SSHed into the instance.

Go Installation

Since Go is not installed by default, I fetched the latest version from the go.dev website using the below command.

wget https://go.dev/dl/go1.20.1.linux-amd64.tar.gz

After that, the next step was to copy the archive to /usr/local and extract the contents.

sudo cp go1.20.1.linux-amd64.tar.gz /usr/local/
cd /usr/local/ && sudo tar -xzf go1.20.1.linux-amd64.tar.gz

After extracting the archive, the remaining portion was to add this directory to my path. For this, I added export PATH=$PATH:/usr/local/go/bin to my ~/.bashrc file so it can persist between reboots.

Mingw Installation

To enable shellcode/staged/DLL payloads MinGW must be installed on the server. Since the majority of my testing is to be done on Windows systems, I installed it using the below command.

sudo apt install mingw-w64

Metasploit Installation

Sliver authors also recommend installing Metasploit for some integrations, however, I skipped it for the time being.

Sliver

Installation

Now that all that dependencies are installed it was time to download the sliver binaries.

wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-server_linux
wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-server_linux.sig
wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-client_linux
wget https://github.com/BishopFox/sliver/releases/download/v1.5.34/sliver-client_linux.sig

And made the binaries executables.

sudo chmod 755 sliver-server_linux
sudo chmod 755 sliver-client_linux

Since this is mainly a research project, I decided to rename & move these binaries to the Home directory for the sake of convenience and changed the file ownership.

sudo mv sliver-server_linux server
sudo mv sliver-client_linux client

mkdir ~/sliver

sudo chown ubuntu:ubuntu server
sudo chown ubuntu:ubuntu client

sudo mv client ~/sliver/
sudo mv server ~/sliver/

Next up the verification of these binaries was also necessary. Ideally, it should be done right after downloading binaries.

wget https://raw.githubusercontent.com/BishopFox/sliver/master/server/assets/fs/sliver.asc
gpg --import sliver.asc

gpg --verify sliver-client_linux.sig client 
gpg --verify sliver-server_linux.sig server

Then I thought why not make this as a systemd service so created a file ( sliver.service ) in my home directory with the following content. This is to ensure that the user ubuntu remains the file owner instead of root. However, the ownership can be easily changed by:

sudo chown $USER:$USER <filename>

Now here's the content for systemd file.

[Unit]
Description=Sliver
After=network.target
StartLimitIntervalSec=0

[Service]
Type=simple
Restart=on-failure
RestartSec=3
User=ubuntu
ExecStart=/home/ubuntu/sliver/server daemon

[Install]
WantedBy=multi-user.target

And moved this file to /etc/systemd/system using sudo chmod 600 sliver.service && sudo mv sliver.service /etc/systemd/system/. Then ran sudo systemctl start sliver and set it to start every reboot using sudo systemctl enable sliver. Now just to be sure that sliver is up and running, I pulled the status using sudo systemctl status sliver which gave the following output.

Now with sliver running, I wanted to check which port it was listening on. Since netstat was not included by default in my VPS, I installed it using sudo apt install net-tools and ran sudo netstat -tlp | grep server to discover it was listening on port 31337.

I also created two aliases alias server='/home/ubuntu/sliver/server' and alias client='/home/ubuntu/sliver/client' in a separate ~/.bash_aliases file for ease of access.

First Run

Now with everything set up, it was now time to run sliver server and check out the available options.

Since every red team engagement requires operators, it was time to create one. Luckily sliver has some good inbuilt help features so I ran new-operator --help and was greeted with the following manual.

So I created an operator named Ezio with new-operator --name Ezio -l 127.0.0.1 .

With server running in one terminal tab, I opened another one and SSHed into the server to run client. Do note that if you're using the same machine for both server and client, make sure to enable multiplayer mode by typing multiplayer in server terminal.

With the C2 setup ready, it was now time to set up the proper infrastructure for receiving communications from the target.

Elastic Load Balancer

The next step was to set up an Application Load Balancer and connect it to the instance running sliver.

In the EC2 Management Console, select Load Balancers, under the Load Balancing section and click on Create Load Balancer option.

Then in the popup, select Application Load Balancer (ALB) as that is the perfect for this use case.

After that, in the next few steps configure ALB and Target Group (instance to forward traffic to).

In the new tab, configure the Target group while selecting Instances and give it a descriptive name.

Then select the appropriate VPC and choose the HTTP version and click Next.

Now select the instance running sliver, click on Include as pending below and click Create target group.

Now go back to ALB page, and select Target Group and click on Create Load Balancer.

Now go back to EC2 Management Console, click on Security Groups option under Network and Security section, and select the security group attached to the instance running sliver. In that security group, click on edit inbound rules and add a new rule with Type as Custom TCP, Port range as 80, and the security group ID of the newly created load balancer as Source.

CloudFront

Now as a final step, CloudFront needs to be set up which is very easy. Select the ALB from the dropdown in Origin domain, set protocol to HTTPS only, in Allowed HTTP methods select the third option (GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE), choose Caching Optimized under Cache policy, and click on Create Distribution and copy Distribution domain name from next page. This Distribution domain name will now be our C2 domain which we can use since Cloudfront is being trusted in many organizations without the risk of triggering some security systems. Now there are some interesting configurations in CloudFront like adding a custom header to client requests and sending logs to s3 buckets among others which I plan to dig into later.

So with the CloudFront done, we can now go back to sliver and continue the testing by generating implants/beacons and having fun with a sophisticated C2 setup in the public cloud.

That's it for this blog, I'll be back with Part-2 soon. Feel free to drop your suggestions below.

Resources

  1. https://github.com/BishopFox/sliver

  2. https://github.com/BishopFox/sliver/wiki/Community-Guides

  3. https://redsiege.com/blog/2022/11/introduction-to-sliver/

  4. https://www.cyberwarfare.live/resource_redirect/downloads/file-uploads/sites/2147491645/themes/2150116878/downloads/bc021a0-8ebc-d601-83e7-5e0d440c750_Cloud_Red_Team_Journey.pdf