moloch--
commented
2 years ago It may be easier to debug looking at the HTTP traffic instead using tcp dump, but we'll look into it.
Closed jbfuzier closed 2 years ago
moloch--
commented
2 years ago It may be easier to debug looking at the HTTP traffic instead using tcp dump, but we'll look into it.
jbfuzier
commented
2 years ago Thanks, To clarify
If there are ways to get more debug informations I would be happy to do it. As the payload is staged, I have not found a way to get some log output.
Edit : Removed wrong statement
moloch--
commented
2 years ago It sounds like there's maybe a firewall in the way the, any mtls authentication failures should appear in the logs. Try increasing the server's logging verbosity from 4 (default) to 5 in the ~/.sliver/configs/server.json file.
edit: A debug implant should still be writing output to the process' stdout, though I'm not sure if C# does something tricky with redirect stdout
jbfuzier
commented
2 years ago I already set it to 5 :
INFO[2022-02-07T15:07:37+01:00] [sliver/server/c2/http.go:396] 10.10.11.1:53109 - /a.woff -
DEBU[2022-02-07T15:07:37+01:00] [sliver/server/c2/http.go:669] Stager request
INFO[2022-02-07T15:07:37+01:00] [sliver/server/c2/http.go:671] Received staging request from 10.10.11.1:53109
INFO[2022-02-07T15:07:43+01:00] [sliver/server/c2/http.go:673] Serving sliver shellcode (size 8206548) to 192.168.92.194:53109
The is no firewall issue, I tested an implant executable with the same setting and it is working fine.
I will check if I find a way to catch stdout somehow.
Sorry, I made a mistake previously, staged payload is NOT contacting the c2 server at all; the traffic I was seeing was remains from on older test.
moloch--
commented
2 years ago @rkervella thoughts, maybe related to the switch from SRDI to Donut+PE?
rkervella
commented
2 years ago I'll look into it this morning.
moloch--
commented
2 years ago I think it's maybe related to the addition of OTP auth, will need to poke around more.
rkervella
commented
2 years ago Yeah, I don't have a windows VM to play with right now so I'll test a bit later.
precurse
commented
2 years ago I'm also having a similar issue using Sliver for a course I'm taking right now. I confirmed I have a similar outcome when using the C# stager code from https://github.com/BishopFox/sliver/wiki/Stagers. It also happens with a process hollowing technique from here: https://gist.github.com/smgorelik/9a80565d44178771abf1e4da4e2a0e75.
Let me know if you need any help troubleshooting this. I have tcpdumps available of it grabbing a 2nd stage payload, but never actually beginning C2 communication.
lesnuages
commented
2 years ago I just didn't find the time lately to work on that. I'm pretty sure it's something easy to troubleshoot, just need to find the time to spin up a windows VM and work on it.
rkervella
commented
2 years ago Updated the docs with a working stager code.
Describe the bug Hi,
I am trying to get a staged payload running with the sample c# code provided in the doc. The staged payload is properly downloaded from the stage http server.
To Reproduce Steps to reproduce the behavior:
C# stager from the wiki, compiled in VS2019 with .net 4.5, "any cpu" profile (default)
Staged payload is contacting the c2 server (seen in tcpdump, but nothing in sliver logs at debug level)Edit : My bad, it was some leftover trafic from another test. The payload downloaded is NOT contacting the c2 server.Result on the windows PC :
The program '[4596] StagerSimple.exe' has exited with code 1073741855 (0x4000001f).I also tried forcing the platform in VS to x64, in this case the stager crashes when copying the downloaded stage to unmanaged memory:
Desktop (please complete the following information):